Scott Register
VP, Product Management
Blog

TLS1.3, Ephemeral keys, and Evil Eve

October 30, 2017 by Scott Register

Now you see it, now you don’t.

If you’re reading this blog post, you’re probably a big fan of the Internet in general and presumably an avid user of some of the services it provides – social media, e-commerce, email, partner connections, and even perusing blogs.  All of these services we’ve all come to know and rely on depend on secure connections, free from unauthorized inspection or alteration, delivered by SSL (or, more properly, TLS) encryption.  But there’s a problem which threatens this online security we all depend upon for work and play.

Eve has swiped Alice's key, who is now effectively pwn't.
Eve, shown here, has swiped Alice's key, pwning her.

 

That problem is Eve.

First, a quick primer on public key cryptography.  A key is really a pair of numbers, an exponent and a modulus.  When two entities (Alice and Bob) communicate, they each have a pair of keys.  One is public, widely available to anyone, and the other is kept secret.  These number pairs are different, which makes this encryption scheme asymmetric.  Messages encrypted with Alice’s public key can only be read by Alice, using her private key.

We won’t go through all of the math of a Diffie Helman key exchange here, but suffice it to say that the math involved is somewhat daunting and computationally expensive (see webinar here if you’d like to explore it more fully).  Because of this computational cost, the initial key exchange is just used so secure the establishment of a symmetric session key.  That session key is then used by Alice and Bob to both encrypt and decrypt the rest of the messages they want to exchange (such as an email message or loading a web page).

However, if a third party – Eve – has a copy of Alice’s private key, she can read the session key when Bob sends it to Alice at the beginning of the session, and once Eve has the session key she can read all of the subsequent communications between Bob and Alice.  In fact, she can read every connection that any other entity has with Alice, forever.

There’s both a convenience and a weakness with this scheme.  On the positive side, if you want to independently monitor connections to a web server, you can set up Eve as a monitoring device.  Eve can passively watch encrypted connections from Internet users to that server to look for malicious attacks hidden within those connections.  In fact, Eve can even stream encrypted sessions to disk and decrypt individual connections as needed later for forensics or troubleshooting purposes.  Many banks have actually deployed such passive monitoring for security, as it imposes no performance penalty on the encrypted connections and ensures IT administrators can reconstruct what happened to the web server even if that server is compromised and its logs can no longer be trusted.

However, Eve may not be your friend.  If Eve has a copy of the Bank of Alice’s private key, she can sit on a public WiFi network and sniff anyone’s banking connection, which is obviously a problem.

To address weaknesses which have been found in various encryption schemes, we occasionally introduce updates to the standards and even deprecate (invalidate) older schemes.  One such update is the upcoming TLS1.3 specification, which in its current draft form mandates the use of ephemeral keys via use of the Diffie Helman Ephemeral extension to key-exchange protocols.  Diffie Helman Ephemeral (DHE) generates a new temporary key for every session, so even if Eve has a copy of Alice’s private key or even the session key for a given session she cannot decrypt any future sessions.  This quality is known as forward secrecy or perfect forward secrecy.

An Ephemeral Key
An Ephemeral Key Can Provide Better Security

 

We expect adoption of TLS1.3 to be fairly rapid, as many of the customers vested interest in improving Internet security own both ends of many connections (Apple, Google, and Microsoft for example).

Coping with the new encryption standards will require significant changes in many Internet security installations which rely today on passive decryption. Ixia can help make these upgrades simpler by offloading the burden of encryption from individual security devices which may suffer much lower performance when asked to decrypt/re-encrypt traffic. By combining “decrypt once, inspect many” capabilities with Ixia’s industry-leading support for security deployments (which includes load balancing, automatic device failure detection, and data masking for compliance), Ixia’s Vision ONE with new Active SSL capability can help you leverage improving encryption standards without sacrificing visibility, security, or performance.