完美前向保密


术语 前向保密完美前向保密 描述了密钥协议(即密钥交换)方法的一个特征。 也就是说,服务器和客户端密钥用于协商新的临时密钥,这些密钥专门用于且仅用于当前通信会话。 实际上,这意味着即使服务器的私钥被泄露,如果攻击者设法获得专门为会话生成的密钥对,通信也只能被窃听者解密。

完美前向保密是通过在每次 TLS/SSL 握手时随机生成密钥对的密钥对来实现的(与对所有会话使用相同的密钥相反)。 实现这种技术的方法被称为"临时"。

目前常用两种方法来实现完美前向保密(注意繁体缩写后的字符 "E"):

  • DHE: Diffie-Hellman 密钥协议的临时版本。
  • ECDHE: 椭圆曲线 Diffie-Hellman 密钥协议的临时版本。

要使用 DHEnode:tls 模块使用完美前向保密,需要生成 Diffie-Hellman 参数并使用 dhparam 选项指定它们到 tls.createSecureContext()。 以下说明使用 OpenSSL 命令行界面生成此类参数:

openssl dhparam -outform PEM -out dhparam.pem 2048

如果使用 ECDHE 使用完美前向保密,则不需要 Diffie-Hellman 参数,将使用默认 ECDHE 曲线。 创建 TLS 服务器时可以使用 ecdhCurve 属性来指定要使用的受支持曲线的名称列表,有关详细信息,请参阅 tls.createServer()

完美前向保密在 TLSv1.2 之前是可选的。从 TLSv1.3 开始,始终使用 (EC)DHE(PSK-only 连接除外)。

The term forward secrecy or perfect forward secrecy describes a feature of key-agreement (i.e., key-exchange) methods. That is, the server and client keys are used to negotiate new temporary keys that are used specifically and only for the current communication session. Practically, this means that even if the server's private key is compromised, communication can only be decrypted by eavesdroppers if the attacker manages to obtain the key-pair specifically generated for the session.

Perfect forward secrecy is achieved by randomly generating a key pair for key-agreement on every TLS/SSL handshake (in contrast to using the same key for all sessions). Methods implementing this technique are called "ephemeral".

Currently two methods are commonly used to achieve perfect forward secrecy (note the character "E" appended to the traditional abbreviations):

  • DHE: An ephemeral version of the Diffie-Hellman key-agreement protocol.
  • ECDHE: An ephemeral version of the Elliptic Curve Diffie-Hellman key-agreement protocol.

To use perfect forward secrecy using DHE with the node:tls module, it is required to generate Diffie-Hellman parameters and specify them with the dhparam option to tls.createSecureContext(). The following illustrates the use of the OpenSSL command-line interface to generate such parameters:

openssl dhparam -outform PEM -out dhparam.pem 2048

If using perfect forward secrecy using ECDHE, Diffie-Hellman parameters are not required and a default ECDHE curve will be used. The ecdhCurve property can be used when creating a TLS Server to specify the list of names of supported curves to use, see tls.createServer() for more info.

Perfect forward secrecy was optional up to TLSv1.2. As of TLSv1.3, (EC)DHE is always used (with the exception of PSK-only connections).