[tdg]

This is not PFS but a simplified example of how you may not be able to decrypt a conversation with one side's private key:

Server X and User Y are communicating. Some guy Z has X's private key. Z is also passively listening the communication.

- Y sends its public key to X. X sends its public key.

- Y generates a random number (A), encrypts with X's public key sends to X.

- Both X and Z decrypt the number. Now X, Y and Z all know the number A.

- X generates a random number (B), encrypts with Y's public key, sends to Y.

- Since Z does not have Y's private key, it can't decrypt it . At this point, X and Y know A and B, Z only knows A.

- X and Y use a predetermined algorithm using A and B as inputs to generate a new key. Further communications are encrypted/decrypted with this key.

- Z can't decrypt the communication.

[methehack]

And to link it back to the outer conversation... Since google is using PFS for gmail, for the NSA to read those conversations, google would either need to (a) give them the email unencrypted directly (cheating) or (b) give them the specific key negotiated for each conversation.

It strikes me that once PFS is in place, google would, in theory, be able to keep everything private except those conversations that a court forced them to give up the keys for.

As long as the rule of law were upheld (i.e., warrants/judicial involvement), it seems to me that this model could work and be generalizable for all web traffic. Maybe it's the way forward...

Happy to have my naiveté corrected :)

[GhotiFish]

Great explanation of the concept! That's really clear.

[methehack]

Excellent explanation! I'm in!