Was this article helpful?
5 Comments
- dragonflymrCirrostratus
Thanks a lot
- ltwagnonRet. Employee
It would only take compromising one of the random numbers because you could then take the known, calculated value from the other (because it is shared in plaintext) and create the shared bulk encryption key from there. This is why it's good to use ephemeral keys because the random numbers from client and server will change with every session. So, even if you compromised the random number for one session, you would only have the data from that one session...not all sessions. Hope this helps!
- dragonflymrCirrostratus
BTW, what has to be compromised in case of PFS to decrypt session? server random number, client random number or both?
Piotr
- ltwagnonRet. Employee
Thanks Piotr! Yes, that could be one solution...it will be interesting to see what people recommend as we are forced to move to PFS only in the future. I'm sure some interesting solutions will be proposed!!
- dragonflymrCirrostratus
Hi,
Another great video! I wonder what possible solution can be used in case of bank example. Only one I can see right now is using somewhere SSL Bridging, so Internet facing service is protected with PFS type of ciphers and inside side with some weaker ciphers that can be decrypted using private key.
Piotr