Lightboard Lessons: Perfect Forward Secrecy

Perfect Forward Secrecy allows your encrypted communications to stay secure even if a bad guy were to steal the private key of the websever you were communicating with.  But, how is that possible?  A...
Published Apr 25, 2017
Version 1.0
lbl
LTM
pfs
security
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 18, 2017

I did promise to not ask more questions, but will appreciate if you can answer some more, sorry...

 

I found this kind of info about ECDHE-RSA

 

ECDHE suites use elliptic curve diffie-hellman key exchange, where DHE suites use normal diffie-hellman. This exchange is signed with RSA, in the same way in both cases.

 

The main advantage of ECDHE is that it is significantly faster than DHE.

 

And I am not sure what exactly does that mean. In case of DH key exchange is based on prime number, modulo and random number. So EC part above means that instead of this method, Elliptic Curve is used in the process that leads to generate pre-master and master key?

 

Considering RSA part - is that mean that value send by server is signed by server using its X509 private key so client using server certificate can verify if it was not altered on the way (MiM case)?

 

Last one is about what is the easiest way to match naming convention used by BIG-IP (tmm --clientciphers DEFAULT) to one used by Wireshark.

 

Let's say in Wireshark I can see TLS_RSA_WITH_AES_256_CBC_SHA (0x0035), on BIG-IP I have a list of ciphers. My guess is that matching entry is:

 

35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA

 

but Am I right?

 

Convention looks a bit different so hat would be a way to be sure that one matches other?

 

Piotr