4

I'm reading RFC4279 (Pre-Shared Key Ciphersuites for Transport Layer Security), Section 7.1, which is about Perfect Forward Secrecy. In that section, it's said that PSK/RSA_PSK ciphersuites don't provide forward secrecy. But, if I'm not wrong, PSKs are used to form premaster secret, which is then used with random numbers to create master secret. Doesn't that mean even PSKs are compromised they should provide forward secrecy (because in every session random numbers will force to create new keys)?

Thanks.

Ibrahim Ethem Bagci
  • 43
  • 4

1 Answers1

1

You're correct that PSKs are used to form the pre-master secret, but Perfect Forward Secrecy (PFS) is not just about creating unique pre-master secrets.

PFS is about protecting all other sessions if one session is compromised. For example, if I break the RSA key for one session and this key is used for all subsequent sessions; I can now decrypt the pre-master secret for all sessions. It doesn't matter that the pre-master secret is unique to each session because I can see what it is anyway.

What you want for PFS is to create unique key exchange parameters for each session. This is what Ephemeral Diffie-Hellman (DHE/ECDHE cipher suites) provides. New Diffie-Hellman parameters are generated for each new handshake with a client. If one session is compromised the other sessions are still secure because the exchange will have unique parameters.

See this answer for more details on PFS and Ephemeral Diffie-Hellman cipher suites.

Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83