The National Security Agency
and Perfect Forward Secrecy

Previous section: Private and public keys

Because asymmetric encryption is much slower than symmetric encryption, two computers do not normally exchange large amounts of data using public and private keys. Instead, they employ them at the beginning of a conversation to agree on a symmetric key which is then used to communicate everything that follows. In a typical situation where an ordinary user is accessing a website with her browser, the website has a private / public key pair but the browser does not. Until quite recently, the standard procedure was for the browser to generate a random symmetric key, encrypt it with the website’s public key and send it to the website’s server. The website’s server would then decrypt the symmetric key with its private key. That way, the browser and the server had agreed on a symmetric key that they both knew but that anyone eavesdropping on the conversation would not have been able to read.

That changed with the secrets disclosed by the former U.S. intelligence officer Edward Snowden in 2013. These included the revelation that the National Security Agency (NSA) was storing huge amounts of encrypted internet traffic that it was not initially able to decode. Should it become desirable at some point in the future to decrypt the conversations in which a particular website had taken part, the plan was to gain access to that website’s private key by hacking into its server. Using the private key, the NSA would then be able to decode the symmetric keys transmitted on the various occasions the site had been accessed. This would then allow them to read the rest of each conversation that had ensued.

Cybertwists book cover
Publication of Cybertwists is planned for early 2018.

Since this strategy has become common knowledge, more and more servers are protecting their traffic against such attacks using an option called Perfect Forward Secrecy. Two computers wishing to communicate each make up some random numbers. They do not communicate the numbers to each other, but exchange various pieces of information about them. An extremely nifty piece of mathematics called the Diffie-Hellmann exchange enables them to use this information in such a way that they end up with a common symmetric key. Somewhat counterintuitively, the method ensures that, even if an eavesdropper had captured all the information sent between the servers in both directions, she would still be unable to reconstruct this key. With Perfect Forward Secrecy, a new common key is negotiated at the beginning of each conversation. It is discarded at the end of each communication session without being stored anywhere, so that there will be no possibility of an organisation like the NSA gaining access to it at some point in the future.

Tweet about the NSA and Perfect Forward Secrecy

Next section: Encryption standards and Bullrun