Forward Secrecy for HTTPS and Ephemeral Diffie-Hellman


In November 2011, Adam Langley, who works for Google, described how Google sites provide forward secrecy over HTTPS on his blog. The core idea is to utilize ephemeral Diffie-Hellman as the key exchange method in SSL/TLS. If ephemeral Diffie-Hellman is employed, the server generates a dedicated Diffie-Hellman public key for each session, signs it, and sends it to the client. The client generates its own Diffie-Hellman public key and sends it to the server. The server and the client then compute a mutual key on their own according to the Diffie-Hellman key exchange protocol. If an attacker determined at least one of the two Diffie-Hellman private keys of a session, the attacker would only be able to decrypt the data of the corresponding session, but fail to decrypt other sessions, since each session relies on different Diffie-Hellman public and private keys. Adam Langley and his team contributed patches for OpenSSL which implement Ephemeral Diffie-Hellman and P-256 elliptic curves. Check out Adam's post on elliptic curve cryptography, if you're interested in the topic. His post also explains the ideas behind the performance optimizations of their P-256 implementation. Vincent Bernat has also written a nice blog entry on forward secrecy with respect to SSL/TLS.