Forward Secrecy and Ephemeral Keys … Guarding Against Data Breaches in the Future and the Past

Upgading for the Future and the Past

Introduction

In our secure network connections, we need to create a session key to encrypt our data. Normally this is a 128-bit or 256-bit AES key. One method is for the server to send its public key, and then for the client to generate a random key, and encrypt it with the public key of the server and send it back. The server then uses the associated private key to decrypt it, and then the client and server will have the same key.

The perfect solution? Nope! This method is currently being kicked-off TLS and will not be supported by TLS 1.3. Why? Because a hack of one key — the long-term private key — will reveal all the previous and future keys.

One of the greatest risks in Cyber Security is the leakage of long-term keys (a breach of the trust infrastructure), and where all the communications associated with the keys could be comprised. Such as breach could bring down even the largest of companies, as their digital presence could not be trusted anymore. Imagine if this happened to Google or a major digital certificate provider?

So what’s the solution? Well, before we start, let’s look at the method that is most…