完美前向保密

¥Perfect forward secrecy

术语 前向保密 或完全前向保密描述了密钥协商(即密钥交换)方法的一个特性。也就是说,服务器和客户端密钥用于协商新的临时密钥,这些密钥专门用于且仅用于当前通信会话。实际上,这意味着即使服务器的私钥被泄露,如果攻击者设法获得专门为会话生成的密钥对,通信也只能被窃听者解密。

¥The term forward secrecy or perfect forward secrecy describes a feature of key-agreement (i.e., key-exchange) methods. That is, the server and client keys are used to negotiate new temporary keys that are used specifically and only for the current communication session. Practically, this means that even if the server's private key is compromised, communication can only be decrypted by eavesdroppers if the attacker manages to obtain the key-pair specifically generated for the session.

完美前向保密是通过在每次 TLS/SSL 握手时随机生成密钥对的密钥对来实现的(与对所有会话使用相同的密钥相反)。实现此技术的方法称为 "ephemeral"。

¥Perfect forward secrecy is achieved by randomly generating a key pair for key-agreement on every TLS/SSL handshake (in contrast to using the same key for all sessions). Methods implementing this technique are called "ephemeral".

目前通常使用两种方法来实现完全前向保密(注意传统缩写后面附加的字符 "E"):

¥Currently two methods are commonly used to achieve perfect forward secrecy (note the character "E" appended to the traditional abbreviations):

  • ECDHE:椭圆曲线 Diffie-Hellman 密钥协议的临时版本。

    ¥ECDHE: An ephemeral version of the Elliptic Curve Diffie-Hellman key-agreement protocol.

  • DHE:Diffie-Hellman 密钥协议的临时版本。

    ¥DHE: An ephemeral version of the Diffie-Hellman key-agreement protocol.

默认情况下启用使用 ECDHE 的完美前向保密。在创建 TLS 服务器时可以使用 ecdhCurve 选项来自定义要使用的支持的 ECDH 曲线列表。有关详细信息,请参阅 tls.createServer()

¥Perfect forward secrecy using ECDHE is enabled by default. The ecdhCurve option can be used when creating a TLS server to customize the list of supported ECDH curves to use. See tls.createServer() for more info.

DHE 默认禁用,但可以通过将 dhparam 选项设置为 'auto' 与 ECDHE 一起启用。还支持自定义 DHE 参数,但不鼓励使用自动选择的众所周知的参数。

¥DHE is disabled by default but can be enabled alongside ECDHE by setting the dhparam option to 'auto'. Custom DHE parameters are also supported but discouraged in favor of automatically selected, well-known parameters.

完美前向保密在 TLSv1.2 之前是可选的。从 TLSv1.3 开始,始终使用 (EC)DHE(仅 PSK 连接除外)。

¥Perfect forward secrecy was optional up to TLSv1.2. As of TLSv1.3, (EC)DHE is always used (with the exception of PSK-only connections).