[Ach] New study on Forward Secrecy

Aaron Zauner azet at azet.org
Tue Dec 30 18:25:44 CET 2014


Just wanted to drop this paper on ACH:

Forward secrecy guarantees that eavesdroppers simply
cannot reveal secret data of past communications. While
many TLS servers have deployed the ephemeral Diffie-Hellman
(DHE) key exchange to support forward secrecy, most sites use
weak DH parameters resulting in a false sense of security. In
our study, we surveyed a total of 473,802 TLS servers and
found that 82.9% of the DHE-enabled servers were using weak
DH parameters. Furthermore, given current parameter and
algorithm choices, we show that the traditional performance
argument against forward secrecy is no longer true. We compared
the server throughput of various TLS setups, and measured
real-world client-side latencies using an ad network. Our results
indicate that forward secrecy is no harder, and can even be faster
using elliptic curve cryptography (ECC), than no forward secrecy.
We suggest that sites should migrate to ECC-based forward
secrecy for both security and performance reasons.

We should - maybe - think about removing DHE (or, at the very least, not
prefer it over ECDHE handshakes anymore) from our current
recommendations. Now for DHE there's a draft by DKG in the IETF
standardization process, but nothing exists right /now/. Also: there are
still issues with DH params with a lot of server daemon implementations
for various protocols.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141230/ca09ad26/attachment.sig>

More information about the Ach mailing list