Lightboard Lessons: Perfect Forward Secrecy
Perfect Forward Secrecy allows your encrypted communications to stay secure even if a bad guy were to steal the private key of the websever you were communicating with. But, how is that possible? And, how can a web server be configured to achieve this level of security? In this video, we talk about the concept of Perfect Forward Secrecy, describe how it all works, and then show how you can configure your BIG-IP to make sure you take advantage of this really cool security functionality. Enjoy!
Related Resources:
- ltwagnonRet. Employee
Hi swjo...great question! The specs that F5 provides for SSL TPS is for hardware. As an example, the 12250v has specialized hardware for RSA, but not for ECC. You can still use ECC ciphers in version 11.4+ regardless of hardware platform, but the processing of the ECC ciphers is done in software except on our newer platforms that have ECC-specific hardware. Our new i-Series platforms all have specific hardware for ECC (and they still have hardware for RSA as well). The reason that the other platforms don't list the ECC-specific SSL TPS numbers is that ECC is done in software for those specific platforms and the numbers will vary greatly depending on CPU utilization, etc.
As a point of comparison, the i10800 platform is comparable to the 12250v but it has ECC specific hardware, and it is rated at 48K TPS (using ECDSA P-256). More specifically, it used the ECDHE-ECDSA-AES128-SHA256 cipher string for testing.
I hope this helps.
- swjo_264656Cirrostratus
Hi. thanks for you kind lesson. Recently, my customers want to use PFS. However, to use PFS, we need to use DHE or ECDHE. and the Cipher usually has a lower performance than RSA. In fact, the problem I'm having is: For i-Series, see the datasheet. ECC performance is specified, but existing BIGIP series does not have such data. I have to explain how there is some performance degradation when using Cipher for PFS, but I have difficulty because there is no rough guide. I would really appreciate it if you could help. happy new year
- dragonflymrCirrostratus
Hi John,
Great explanation, I really appreciate time and effort!
Piotr
- ltwagnonRet. Employee
@Piotr, sorry for the delay in answering your questions...but here's my take:
ECDHE and DHE are both "Diffie Hellman" key exchanges. The "E" part, by the way, simply refers to the keys being Ephemeral...or, short lived. That is, a new key is generated for every session rather than using the same one for a long period of time. The primary difference between DH and ECDH is that DH uses a multiplicative group of integers while ECDH uses a multiplicative group of points on an elliptic curve. But, both of these use the Diffie Hellman algorithm to exchange keys. As it turns out, using points on an elliptic curve allows the algorithm to run much faster than using groups of large integers. So, that's why ECDH is much faster than just normal DH. Ultimately, the Diffie Hellman key exchange algorithm leads you to a master key (shared, symmetric key) that is used for bulk encryption. It doesn't matter if you use ECDH or normal DH...either one leads to the shared, symmetric key. Most people prefer ECDH because it's so much faster than normal DH.
The RSA part of all of this is the authentication that you mentioned in your comment. Something has to be used to verify that the server is actually the correct server, and the RSA algorithm is used to do that. One of the confusing parts about all of this is that RSA can also be used for key exchange as well (although, most people don't use RSA for key exchange any more). But, regardless, RSA is used for server authentication.
Last, the naming convention for the cipher suites is best tracked by using the hexadecimal value associated with each suite. I captured a Client Hello and Server Hello for a test web application I have. I'm using BIG-IP v12.0 for this, and I have the DEFAULT cipher suite enabled for my client SSL profile. Here's the Wireshark capture for the Client Hello:
Notice that the browser sends 15 different cipher suites to the server for consideration. Each cipher suite has a hexadecimal value listed to the right of the cipher suite. Keep an eye on cipher suite hex value 0x0039. This will be the one that is ultimately selected by the BIG-IP for this session. Here's the Server Hello Wireshark capture that happened right after the Client Hello:
Notice that the BIG-IP (Server) chose the cipher suite with hexadecimal value 0x0039. The Wireshark capture does a good job of letting you know what's in the cipher suite (TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)), but that doesn't always correspond exactly to the naming convention of the BIG-IP list of cipher suites. Here's a list of the DEFAULT cipher suites on my BIG-IP:
Notice that the naming convention is a little different here. So, in order to correspond the Wireshark list of cipher suites to the BIG-IP list, you should use the hexadecimal value. Unfortunately, the BIG-IP doesn't list the hexadecimal value of the cipher suites by default, but you can cross-reference them using this link: https://support.f5.com/csp/article/K13156. Here's a screenshot of the BIG-IP version 12 cipher suites (notice that the hexadecimal values are listed for each one). And, I circled the 0x0039 so you could track the same cipher suite that was used throughout this session.
I hope this helps! Let me know if you have any other questions!
- dragonflymrCirrostratus
I did promise to not ask more questions, but will appreciate if you can answer some more, sorry...
I found this kind of info about ECDHE-RSA
ECDHE suites use elliptic curve diffie-hellman key exchange, where DHE suites use normal diffie-hellman. This exchange is signed with RSA, in the same way in both cases.
The main advantage of ECDHE is that it is significantly faster than DHE.
And I am not sure what exactly does that mean. In case of DH key exchange is based on prime number, modulo and random number. So EC part above means that instead of this method, Elliptic Curve is used in the process that leads to generate pre-master and master key?
Considering RSA part - is that mean that value send by server is signed by server using its X509 private key so client using server certificate can verify if it was not altered on the way (MiM case)?
Last one is about what is the easiest way to match naming convention used by BIG-IP (tmm --clientciphers DEFAULT) to one used by Wireshark.
Let's say in Wireshark I can see TLS_RSA_WITH_AES_256_CBC_SHA (0x0035), on BIG-IP I have a list of ciphers. My guess is that matching entry is:
35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
but Am I right?
Convention looks a bit different so hat would be a way to be sure that one matches other?
Piotr
- dragonflymrCirrostratus
Thanks!
- ltwagnonRet. Employee
Great question Piotr! The short answer of the need to create a pre-master secret is that it provides greater consistency between TLS cipher suites. Here's a thread with a little more info:
- dragonflymrCirrostratus
Sorry, one last question, I know that I am pain in the... :-)
Why both client and server generate pre-master secret. From description it's never exchanged like in RSA - here it's necessary to allow server generate master key. But for DH seems to be pointless, so why not just generate master key skipping pre-master?
Piotr
- ltwagnonRet. Employee
will do...thanks Piotr!
- dragonflymrCirrostratus
No problem at all, those videos are just great, keep up like that!!!
Piotr