DH vs. DHE and ECDHE and perfect forward secrecy

user1810868 picture user1810868 · Dec 25, 2012 · Viewed 44.7k times · Source

Does Diffie-Hellman (DH) provide perfect forward secrecy? or is it a feature for Ephemeral Diffie-Hellman (DHE) only ? Is Elliptic Curve Ephemeral diffie-Hellman (ECDHE) is better than DHE ?

Answer

Bruno picture Bruno · Dec 26, 2012

It's the ephemeral aspect of DHE and ECDHE that provides perfect forward secrecy.

The idea is that even if someone records traffic and compromises the server to get its private key, they won't be able to decipher that traffic, because they'll be missing the ephemeral DH parameters that won't have been saved. With fixed DH, the private DH parameters are effectively the private key: they would also be compromised in the same way and allow the attacker to decipher past traffic too. (Note that support for fixed DH, non-anonymous cipher suites is quite rare in practice anyway.)

The perfect forward secrecy offered by DHE comes at a price: more computation. The ECDHE variants uses elliptic curve cryptography to reduce this computational cost. You may find further details and benchmarks in Vincent Bernat's SSL/TLS & Perfect Forward Secrecy article.