Two weeks ago I delivered a presentation for Worldpay on the subject of Forward Secrecy. I volunteered to give this around 10 weeks ago as it was a subject that I’d seen mentioned several times whilst reading security-related web sites, but I couldn’t quite get my head around. By volunteering I was forcing myself in to a position where I had to learn it, and understand it well enough to explain to a room full of strangers.
I find difficulty in understanding very common when it comes to security-related subjects; I also find it unnecessary and frustrating. There does seem to be a genuine lack of consumability when it comes to writing the specifications, guides and tutorials that attempt to explain, what turn out of be, straightforward subjects. Materials seem to be purely aimed at the implementer rather than the consumer, and this applies to both terminology coined as well as the style of writing.
I’m neither a mathematician nor a cryptographer, but I do deeply care about security. Initiatives like Let’s Encrypt show how easy the process should be (as close to “secure by default” as you can get), so I see no reason why similar initiatives.
So, this presentation of Forward Secrecy walks the reader through:
- The problem statement and motivation for it
- The theory of forward secrecy (with no mathematics in sight, it’s just not necessary)
- How it is achieved in the TLS (formerly SSL) protocol.
- Finally, some Java sample code is shown that shows how to use forward secrecy enabled cipher suites in Java applications using the Java Secure Sockets Extension (JSSE) API.
As the presentation was given to an external audience I’m able to publish it, along with code samples that show how forward secrecy, using TLS, can be used within a Java application.
All material is copyright of Worldpay. The license for code is MIT.
Github Repository (containing all artifacts): https://github.com/andybrodie/fsdemoapp.
Presentation link: https://github.com/andybrodie/fsdemoapp/blob/master/docs/Forward%20Secrecy%20in%20Java.pptx?raw=true.