To create a more secure VPN tunnel, enable perfect forward secrecy, or PFS, as it provides assurances no one can compromise the session keys even if someone obtains the server’s private key.
- [Narrator] When encrypting traffic using symmetric encryption, both sides must share the same secret key. During the initial handshake, the client creates the master secret, encrypts it with the server's public key to prevent exposure while in transit, and sends it to the server. Once the server receives the master secret, it decrypts it with its own private key, and then both client and server have their own key. From the master secret, both client and server generate session keys to exchange data.
During the course of exchanging encrypted traffic, it's essential to protect the server's private key. If disclosed, an attacker can have access to the transmitted data, which poses a serious risk to data security. How can this happen? Cybercriminals work hard to get into systems and steal information, and have created several malware variants that can steal both private keys and digital certificates from Windows certificate stores by exploiting the operating system's functionality.
Some variants include Trojan.Zbot, Downloard.Parshell, and Trojan.Spyeye. The solution is to use perfect forward secrecy. Perfect forward secrecy provides assurance that no one can compromise the session keys, even if someone obtains the server's private key. Perfect forward secrecy generates a unique session key for every session a user initiates.
It uses the Diffie-Hellman key exchange. If a hacker is able to obtain a single session key, this only affects the data exchanged in the current session protected by that specific key. To enable perfect forward secrecy, both the client and the server must use a cipher suite that employs the Diffie-Hellman key exchange. Let's review Diffie-Hellman. Whitfield Diffie and Martin Hellman were two of a few groups that developed d public key technology in the 1970s as the need for securely exchanging a secret key became evident.
We use Diffie-Hellman for key exchange, not for encryption. The concept of Diffie-Hellman is it allows two users to share a secret key securely over a public network when using symmetric encryption. With perfect forward secrecy, both client and server generate a new set of Diffie-Hellman parameters for each session that are not stored or reused. The key exchange session lasts for a short time.
Periodically a new session begins, and both parties then create a new shared secret. Perfect forward secrecy ensures data protection by forcing the Ipsec VPN tunnel to generate and use a different key when first setting up a tunnel along with any subsequent keys. Perfect forward secrecy provides assurance that no one can compromise the session keys even if someone obtains the server's private key.
Enable perfect forward secrecy when using an IPsec VPN to create a more secure VPN tunnel.
- Using Packet Tracer
- Reviewing VPN topologies and components
- Encapsulating security payload protocol
- VPN configuration
- Hairpin and split tunnel VPN
- Clientless SSL VPN and AnyConnect SSL VPN
- Endpoint posture assessment
- Preparing sites for an IPsec VPN