Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
ltwagnon
Legacy Employee
Legacy Employee

Perfect Forward Secrecy (PFS) is a great security feature that protects client and server data from being decrypted in the future.  Many web servers today prefer PFS ciphers, but there are a few things to keep in mind when turning on PFS ciphers on web servers.  In this video, we discuss a few of the things to keep in mind as you move toward PFS ciphers.  Enjoy!  





Related Resources:

Comments
dragonflymr
Cirrostratus
Cirrostratus

Hi,

 

Another great video! I wonder what possible solution can be used in case of bank example. Only one I can see right now is using somewhere SSL Bridging, so Internet facing service is protected with PFS type of ciphers and inside side with some weaker ciphers that can be decrypted using private key.

 

Piotr

 

ltwagnon
Legacy Employee
Legacy Employee

Thanks Piotr! Yes, that could be one solution...it will be interesting to see what people recommend as we are forced to move to PFS only in the future. I'm sure some interesting solutions will be proposed!!

 

dragonflymr
Cirrostratus
Cirrostratus

BTW, what has to be compromised in case of PFS to decrypt session? server random number, client random number or both?

 

Piotr

 

ltwagnon
Legacy Employee
Legacy Employee

It would only take compromising one of the random numbers because you could then take the known, calculated value from the other (because it is shared in plaintext) and create the shared bulk encryption key from there. This is why it's good to use ephemeral keys because the random numbers from client and server will change with every session. So, even if you compromised the random number for one session, you would only have the data from that one session...not all sessions. Hope this helps!

 

dragonflymr
Cirrostratus
Cirrostratus

Thanks a lot

 

Version history
Last update:
‎17-May-2017 12:39
Updated by:
Contributors