Skip to main content

Enable Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) is unavailable with the server configuration. If the TLS encryption is broken once, recordings of previous connections are not secure and may be decrypted.

Security assessment

Security_Assessment_EnablePerfectForwardSecrecy-1 CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability information

To understand PFS, it is necessary first to understand the basics of data transfer between clients and servers and asymmetric encryption methods, such as those used in the Secure Shell (SSH), Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols.

Asymmetric encryption

To secure online communications and protect them from third parties in asymmetric encryption, a pair of keys (public and private) are used. The private key is held secret by each part, whereas the public key is available to the outside world.

In order for a client to send a message to a server, they utilize the public key from the server to encrypt that message. After the encrypted message is sent, the server utilizes its private key to decrypt the message and read it. I.e., the public key cannot be used to decrypt the message, only to encrypt it.

Vulnerability information

Perfect forward secrecy contains several possible vulnerabilities. PFS is intended to hinder attackers from obtaining session keys that would allow them to decipher communications. What forward secrecy cannot prevent is an attack that seeks to influence how the session key, i.e., encryption key, is generated.

If an attacker is capable of modifying the functioning of the session key generator, thereby making the random values that are generated for the purpose of the key exchange predictable, then they will be able to decipher all future communications. This was the problem with the Dual Elliptic Curve Deterministic Random Bit Generator, which had a backdoor that allowed the generator to be modified in such a way.

Perfect forward secrecy also does not protect against a man-in-the-middle attack (MITM) in which an attacker can record and modify communications between a server and a client. While PFS protects against the decryption of such communication, it cannot prevent it from being collected if an attacker positions themself in the middle. In principle, obtaining and keeping such records leaves the door open for them to be deciphered in the future, once quantum computing becomes more widely available.

Though not a vulnerability in itself, one of the reasons for the slow adoption of PFS on a wider scale is the additional computing resources that the server requires to generate unique session keys. PFS also lacks legacy support which also somewhat limits its implementation.

Finally, implementing PFS results in a lack of internal visibility of data. Since it encrypts network communications, tech teams cannot locate problems and fix them because they cannot decrypt the traffic. There are workarounds to this problem, such as installing an SSL/TLS inspection device to act as an intermediary.

Prevent attacks

To enable PFS, configure your webserver to only use recent cipher suites that include PFS. For more information, see Secure TLS configuration

Here is how to configure PFS manually in Nginx and Apache.

Nginx

  1. Locate your SSL protocol configuration on the server type, assuming the base directory is /etc/nginx:

    grep -r ssl_protocol /etc/nginx
  2. Proceed to add the following lines to the configuration:

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;  
    ssl_prefer_server_ciphers on;
  3. Set the SSL cipher and choose your preferred cipher configuration, either with or without RC4, or RC4 as a last resort. Recommended configuration:

    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  4. Restart Nginx using:

    sudo service nginx restart

Apache

  1. Locate your SSL protocol configuration on the server type, assuming the base directory is /etc/apache:

    grep -i -r "SSLEngine" /etc/apache
  2. Proceed to add the following lines to the configuration:

    SSLProtocol all -SSLv2 -SSLv3  
    SSLHonorCipherOrder on
  3. Set the SSL cipher and choose your preferred cipher configuration, either with or without RC4, or RC4 as a last resort. Recommended configuration:

    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  4. Restart Apache:

    apachectl -k restart