I guess this is exactly why this is over my head. Maybe you can help me even tho...

tdg · on June 24, 2013

This is not PFS but a simplified example of how you may not be able to decrypt a conversation with one side's private key:

Server X and User Y are communicating. Some guy Z has X's private key. Z is also passively listening the communication.

- Y sends its public key to X. X sends its public key.

- Y generates a random number (A), encrypts with X's public key sends to X.

- Both X and Z decrypt the number. Now X, Y and Z all know the number A.

- X generates a random number (B), encrypts with Y's public key, sends to Y.

- Since Z does not have Y's private key, it can't decrypt it . At this point, X and Y know A and B, Z only knows A.

- X and Y use a predetermined algorithm using A and B as inputs to generate a new key. Further communications are encrypted/decrypted with this key.

- Z can't decrypt the communication.

methehack · on June 25, 2013

And to link it back to the outer conversation... Since google is using PFS for gmail, for the NSA to read those conversations, google would either need to (a) give them the email unencrypted directly (cheating) or (b) give them the specific key negotiated for each conversation.

It strikes me that once PFS is in place, google would, in theory, be able to keep everything private except those conversations that a court forced them to give up the keys for.

As long as the rule of law were upheld (i.e., warrants/judicial involvement), it seems to me that this model could work and be generalizable for all web traffic. Maybe it's the way forward...

Happy to have my naiveté corrected :)

GhotiFish · on June 24, 2013

Great explanation of the concept! That's really clear.

methehack · on June 24, 2013

Excellent explanation! I'm in!