What Perfect Forward Secrecy means

Let’s say you had an encrypted conversation with Bob yesterday. Today Bob accidentally posts his secret key on the internet. You still want your conversation to be private, right? So what can you do? You can use a cryptographic protocol with perfect forward secrecy (PFS). That will protect you against similar blunders by your conversation partners and even your own blunders of this type. Sounds pretty desirable, right?

Since the Snowden leaks, we know for sure that a variety of state run intelligence services record your communication – some of them with the explicit intent to decrypt it later when possible. And with many protocols you just need to break one key to be able to decipher many messages. PFS also protects against that: you usually need to break every single message individually.

So both blunder, as well as outright malice, pose a sizeable threat, which therefore we need to consider when designing our threat models.

Continue reading

Connecting to Amazon VPC

Overview

Amazons virtual privacy cloud service (VPC) offers great outsourcing possibilities for your less private (but still private) services.

Consider a Jenkins build server. You have got one on your local machine but sometimes it’s just too much load for your hardware. It would be nice in such a case to just push some load into the cloud. Clearly you can not just put a Jenkins server into the cloud because it will need access to various services like at least some repository (Git, SVN). To protect that cloud-internal traffic (you do not want other Amazon customers to see your source code) one should use VPC. And for a seamless integration into your existing infrastructure you will need a VPN tunnel from the Amazon VPC to your local network.

Amazon offers the possibility to create such a VPN connection to your VPC. You may set up your own VPN server in your VPC but in our opinion it is easier and cheaper to use Amazons solution. Because it seemed less pricy we first tried to just use open-source software for that VPN server.

Continue reading