完美前向保密 | Node.js API 文档

🌐 Perfect forward secrecy

术语 前向保密 或“完美前向保密”描述了密钥协商（即密钥交换）方法的一种特性。也就是说，服务器和客户端的密钥用于协商新的临时密钥，这些临时密钥仅用于当前的通信会话。实际上，这意味着即使服务器的私钥被泄露，窃听者也只能在攻击者设法获取专门为该会话生成的密钥对时才能解密通信。

🌐 The term forward secrecy or perfect forward secrecy describes a feature of key-agreement (i.e., key-exchange) methods. That is, the server and client keys are used to negotiate new temporary keys that are used specifically and only for the current communication session. Practically, this means that even if the server's private key is compromised, communication can only be decrypted by eavesdroppers if the attacker manages to obtain the key-pair specifically generated for the session.

完美前向保密性通过在每次 TLS/SSL 握手时随机生成密钥对来实现（与对所有会话使用相同密钥相反）。实现这种技术的方法称为“临时密钥”。

🌐 Perfect forward secrecy is achieved by randomly generating a key pair for key-agreement on every TLS/SSL handshake (in contrast to using the same key for all sessions). Methods implementing this technique are called "ephemeral".

目前通常使用两种方法来实现完美前向保密（注意在传统缩写后加上的字符“E”）：

🌐 Currently two methods are commonly used to achieve perfect forward secrecy (note the character "E" appended to the traditional abbreviations):

DHE：Diffie-Hellman 密钥协商协议的临时版本。
ECDHE：椭圆曲线迪菲-赫尔曼密钥协商协议的临时版本。

要在 node:tls 模块中使用 DHE 实现完美前向保密，需要生成 Diffie-Hellman 参数，并通过 dhparam 选项将其指定给 tls.createSecureContext()。以下示例展示了如何使用 OpenSSL 命令行接口生成这些参数：

🌐 To use perfect forward secrecy using DHE with the node:tls module, it is required to generate Diffie-Hellman parameters and specify them with the dhparam option to tls.createSecureContext(). The following illustrates the use of the OpenSSL command-line interface to generate such parameters:

openssl dhparam -outform PEM -out dhparam.pem 2048

如果使用 ECDHE 实现完美前向保密，则不需要 Diffie-Hellman 参数，将使用默认的 ECDHE 曲线。在创建 TLS 服务器时，可以使用 ecdhCurve 属性来指定要使用的支持曲线名称列表，更多信息请参见 tls.createServer()。

🌐 If using perfect forward secrecy using ECDHE, Diffie-Hellman parameters are not required and a default ECDHE curve will be used. The ecdhCurve property can be used when creating a TLS Server to specify the list of names of supported curves to use, see tls.createServer() for more info.

在TLSv1.2之前，完美前向保密是可选的，但在TLSv1.3中不是可选的，因为所有TLSv1.3密码套件都使用ECDHE。

🌐 Perfect forward secrecy was optional up to TLSv1.2, but it is not optional for TLSv1.3, because all TLSv1.3 cipher suites use ECDHE.