During a web application engagement, you capture TLS 1.0 traffic and later obtain the server's RSA private key. Because the site negotiates RSA key-exchange ciphersuites, you can decrypt every recorded session. To stop an attacker from retrospectively decrypting captured traffic without replacing the existing certificate chain, which change is the most effective countermeasure?
Increase the server's RSA key size from 2048 to 4096 bits to make brute-force key recovery impractical.
Configure the server to prefer ECDHE ciphersuites so that the session keys are established with ephemeral Diffie-Hellman while still authenticating with the current RSA certificate.
Enable HTTP Strict Transport Security (HSTS) for the domain to force clients onto HTTPS connections.
Reissue the certificate so it is signed with SHA-256 instead of the deprecated SHA-1 algorithm.
Ephemeral Diffie-Hellman key-exchange algorithms such as ECDHE generate a unique session key for every TLS handshake. The RSA certificate is still used for authentication, but the session key is derived from ephemeral parameters that are discarded after use. Even if the long-term RSA private key is later exposed, past traffic remains protected, providing perfect forward secrecy. Merely increasing the RSA key length, upgrading the certificate's hash algorithm, or forcing browsers to use HTTPS with HSTS does nothing to stop someone with the private key from decrypting previously captured RSA key-exchange sessions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is perfect forward secrecy (PFS)?
Open an interactive chat with Bash
What is the difference between RSA and ECDHE for key exchange?
Open an interactive chat with Bash
Why does increasing RSA key size not provide forward secrecy?
Open an interactive chat with Bash
What is the difference between RSA and ECDHE in TLS key exchange?
Open an interactive chat with Bash
What is Perfect Forward Secrecy (PFS) in cryptography?