We don't we say then that the pre-master secret used in RSA key exchange mode during an TLS handshake and the derived session key from it are ephemeral ? Of course it does not provide Forward Secrecy as it is using the same public key from servers certificate over and over again, but still the session key is generated on each session. What am I missing ?
Asked
Active
Viewed 490 times
1 Answers
1
The question is not very clear but let me try to provide an answer it from what I get.
The RSA exchange method is used to establish the pre-master key. The client generates a random value, use the server public key from the Server certificate from the Server Hello message to encrypt the pre-master secret key and send it to the server. Then the server can use its private key to sign a sample message to send it to the client so that the client can verify it to establish the identity of the server.
Since, the client sent a random value encrypted with the server's public key that can only be decrypted by the server, they now have a common random value that can server as a pre-master secret. Both, client and server can now derive their session key from it.
Since, the client generates it at every new handshake (not TLS session resumption), it's ephemeral.
You are right that the public key of the server never changes, and if the private key of the server gets compromised then anyone with the recordings o the messages over the wire can get the pre-master key and decrypt it, that too for all sessions hence NOT providing Perfect Forward Secrecy.
prateeknischal
- 121
- 4
-
Thank you. So I guess it is safe to say that RSA in TLS is `ephermal` because it generates for each session a random number thus computing a unique symmetric session key from it for each connection but it **does not** provide `Perfect Forward Secrecy` because once the servers private key is compromised all the previously captured and encrypted traffics can now be decrypted basically nullifying the value of using ephemeral session keys? Or am I still mixing things up ? – blabla_trace May 31 '19 at 13:21
-
Or does `ephemeral` in the context of `RSA` mean that it would require a NEW RSA key-pair (pub-priv) for EACH SINGLE connection establishment (TCP 3 Way - TLS handshake) ? – blabla_trace May 31 '19 at 13:35
-
Yes, you are correct in that case. If the server private key is compromised then the perfect forward secrecy is no longer valid. I will update the answer to reflect this. Thank you @blabla_trace – prateeknischal May 31 '19 at 13:36
-
For plain-RSA kx through TLSv1.2, server _could_ sign a message but it doesn't; instead it is authenticated by Finished. See rfcs 2246,4346,5246 and https://security.stackexchange.com/questions/61535/what-stops-an-attacker-from-tampering-with- and https://security.stackexchange.com/questions/71979/how-well-is-the-ssl-tls-handshake-protected- vs https://security.stackexchange.com/questions/89834/does-tls-fallback-scsv-provide-blanket-protection- https://security.stackexchange.com/questions/90828/freak-attack-why-doesnt-finished-message-prevent-it Also the RSA premaster is not _all_ random. – dave_thompson_085 Jun 01 '19 at 02:15
-
This isn't what ephemeral means... – forest Jun 01 '19 at 07:27
-
Yes, for plain RSA-kx, it would not use the client cert, I was talking about the RSA-RSA-
- – prateeknischal Jun 01 '19 at 18:51cipher suite, I didn't mention which is my mistake, sorry for that. I was reading the TLS Handshake steps, it does say that the PMS is created by the client, which could be using the DH exchanges or RSA in this case where the client would send a client random encrypted with Server public key. Then the client and server would derive a session key which they will use for symmetric key. -
From my understanding, Ephemeral means, generating a new value per use. In this case I am assuming that client secret is generated fresh per TLS handshake. – prateeknischal Jun 01 '19 at 18:57