ICST 2016

Tap-Proof Encryption Using Perfect Forward Secrecy

In Web Browser

Mohd Nizam Omar1, Dahliyusmanto2, Tutut Herawan3, Irham Ahmad4, Angela Amphawan5,
Zurianawati Ibrahim6
1,5
InterNetWorks Lab, School of Computing, Universiti Utara Malaysia, Malaysia
2
Department of Computer Science, Faculty of Engineering, Universitas Riau, Riau
3
Department of Information Systems, University of Malaya, Malaysia
4
Pejabat Setiausaha Kerajaan Negeri Perlis, Malaysia
6
Politeknik Sultan Abdul Halim Mu’adzam Shah, Bandar Darulaman, Malaysia

[email protected], [email protected], [email protected], [email protected], [email protected],

[email protected]

*Corresponding Author
Received: 10 October 2016, Accepted: 4 November 2016
Published online: 14 February 2017

Abstract: Nowadays world became seriously caring about privacy issue since there are several incidents
occurring, such as SIM card hack, intercepting phone calls, intercepting internet communication, illegal
surveillance program like PRISM and others. One of the ways to overcome this problem is by using Perfect
Forward Secrecy (PFS). There is not much research that successfully proves the effectiveness of PFS in the
Internet. By using real experiment testbed, this research begins with setting up a web-based application server.
Then, the client computer is created. After that, by using another computer as the attacker, another computer
installed with Wireshark app, then, it used to capture the communication between client and web server. This
capturing process repeated for both communication that used PFS and without PFS. Based on the result,
Wireshark successfully captures clear crystal text of data on the communication without the PFS compared to
encrypted text on communication with the PFS. Therefore, by using the PFS, the communication data protected
the communication data. This research hopefully can be used as to provide privacy in the Internet
communication.

Keywords: Perfect Forward Secrecy; PFS; Intercept; Tap-proof; Encryption.

1. Introduction
When the world was shocked by news reports about the National Security Agency (NSA) issue,
many researchers in the world try to find the solution to protect data from being compromised. News
reports indicated that NSA has been intercepting phone calls and internet communication of American
citizens and almost high-profile personnel in the world [1]. By looking at the issue, this research
proposes that Perfect Forward Secrecy (PFS) is the one of the solution.
Encryption is used to secure between two communications. With encryption, the eavesdropping
and attacks such as chosen cipher attack, non-repudiation attack and man-in-the middle attack are
difficult to intercept [2, 3]. Currently, there are two types of attack being identified; Browser Exploit
Against SSL/TLS (BEAST) attack and Compression Ratio Info-Leak Mass Exploitation (CRIME)
attack [4]. Encryptions can be defined as a technique or method that used to secure the data from
being stolen or change by others [5].
Encryption also used to protect data from intercept while doing a two way communication.
Nowadays, the web browser is using https and http alone is not secure. This is because the attacker
Tap-Proof Encryption Using Perfect Forward Secrecy In Web Browser
becomes more intelligence while execute hacking. In this research, the researcher will explain the
concept of PFS and the advantages of PFS compare other concept.
The first objectives of this research are to examine the encryption techniques that can overcomes
eavesdropping issues. Nowadays, there are many encryption techniques used in the Internet. One of
the techniques is PFS. PFS is a concept where the public key generates an encryption key in each
session. By that way, the attackers are no longer using the same for the different session1.
The second objectives of this research is to apply PFS in the web browser and web application.
Although PFS has been introduced before, but the awareness and the use of this concept is still low. In
this research, PFS will be applied on the web browser and the web application.
Finally, the last objective of this research is to prove the effectiveness of PFS compared to non-
PFS. This research shows the difference between PFS and non-PFS concept using the real experiment
testbed.

1.1 Perfect Forward Secrecy (PFS)

Security is a method that used to secure the computer from being attack by others. The method
for security that can be used including cryptography, network encryption protocols, key management,
encryption method, digital signature, key encryption and other [6].
Cryptography occurs when the plain text is converted to cipher text using various method of
encryption and decryption method [7]. This is where the computer security meets the mathematical
formula.
Besides PFS, there are some concepts related to PFS. There is Partial Forward Secrecy that
applied to certain protocol that cannot meet PFS requirement. Partial Forward Secrecy uses the
previous session key to consider the secrecy compare to PFS that use different public key for each
session [8]. Apart from Partial Forward Secrecy, there is another method known as Backward
Secrecy. However, it is compromised by an attacker and cannot be compromised by the earlier key
[3].
In PFS, every session in the communication session uses different public key and the public key
is generated by different encryption key. Therefore, the attackers cannot use the same key if they
successfully tap into the communication line [1].

Figure 1(a). Non-PFS

Figure 1(a) shows that same public key is used to generate different encrypted key while on
Figure 1(b) it is shown that different public key generates different encryption key.
Based on the experiment (Section 6), it is shown that communication with PFS enable will resist
against the attacker (information is encrypted). Moreover, if the public key is stolen, the next session
also cannot be compromised because the attacker cannot use the same public key. It is because the
next session used different public key. Therefore, applying PFS will secure the communication
between client and server.

Applied Science and Technology, Vol.1 No.1 2017 http://www.estech.org 211

Tap-Proof Encryption Using Perfect Forward Secrecy In Web Browser

2. Related Works
After a few reports against NSA, many researcher try to find a solution to secure their network.
The best solutions are by enabling PFS in server and browser. Chin-Chen Chang et al. conduct a
research to enable PFS into their mobile device [9]. Zhang Jianhong and Chen Hua execute a research
to enable PFS to their authentication of Email protocol [10]. On the other hand, Vineeta Tiwari et al.
enhance research by Zhang Jianhong and Chen Hua to prove that by PFS in Email protocol can secure
email from cyber-attack issue [11]. Lin-Shung Huang et al. run their research by calculating how
many web in the world using PFS based on the web listed from Alexa [12].
Based on related work discussed previously, most of the researchers agreed that the PFS are
important by applied is on the different environment. In this research, the web browser environment
has been selected because of its popularity connected to the Internet. Moreover, the real testbed
experiment to prove that PFS as the effective method compare to non-PFS in securing web-based
from tap-proof by attackers has been developed.
Based on research by Chin- Chen Chang et al., Zang Jianhong and Chen Hua, and Vineeta Tiwari et
al. research, the PFS will be examined in LAN environment [9,11].

Figure 1(b). PFS

As discussed before, the testing environment of this research will be a Local Area Network
(LAN) as testing environment and this will be expanded into the Wide Area Network (WAN)
environment for the future works.

3. Material & Methodology

Web-based Application Testing Methodology [16] has been applied as the methodology of this
research. There are seven testing activities in this methodology; i) Performance testing; ii) Load
testing; iii) Stress testing; iv) Compatibility testing; v) Usability testing; vi) Accessibility testing; and
vii) Security testing.
This research only applied security testing activity as to prove the effectiveness of PFS. It is
because, this research is conducted as to examine and verifying the effectiveness of the PFS method in
the web server and the web browser [16]. In this research also, the result of packet capturing shows
that the encryption process is successfully done. This can be looked by referring Figure 6, 7 and Table
1 (in Section 7).

3.1 Configuring PFS

There are several steps needed to configure PFS in web server, such as shown in Figure 2.
Meanwhile, in the web browser, there is no requirement needed because all web browsers are
compatible with PFS method. Moreover, if the web browser access to the non-PFS-based website, the
page info will show “Connection Not Encrypted” as shown in Figure 5 (in Section 7). However, when
the web browser access the PFS-based website, the page info will appear “Connection Encrypted”
Applied Science and Technology, Vol.1 No.1 2017 http://www.estech.org 212
Tap-Proof Encryption Using Perfect Forward Secrecy In Web Browser
with PFS method as Figure 6 (in Section 7). The flow chart how to configure the web server is shown
as below;

Start Open terminal Open ssl.conf

file

No
Enable SSL
Protocol
End

Yes
No

Enable SSL
Restart apache
service Honor Cipher
Order

No
Enable SSL
Save ssl.conf file Cipher Suite

Yes

Figure 2. Step Configuring PFS in the Web Server

Based on Figure 2, there are seven steps needed to configure PFS in the web server. Each step
must be followed accordingly as to ensure that the PFS working both on the web server and the web
browser. When all of these steps have been completed, the experiment by surfing the website address
with http and https in web browser will be followed.

3.2 Configuring PFS

By using real testbed environment, three computers that act as a web server, client and attacker
has been set up. All computers have been configured in a LAN using IP scheme from 192.168.100.1
until 192.168.100.3.
WEB SERVER. The web server is running Ubuntu 14.04 as Operating System (OS). Then,
Apache2 for hosting a web application is installed. This web application supposes to have an online
application form that the user needs to complete. Two conditions to prove the PFS effectiveness of the
PFS have been provided. For the first condition, the use of http without the encryption technique has
been chosen, and in the second condition PFS-enabled into Apache2 to capture the packet in the
network also has been set up properly.
CLIENT. The client uses Windows-based OS. The client uses the web browser to surf the
online application hosted in the server. The client needs to access the web server by completing the
online application form in the web application. The client enables the PFS in the browser.
ATTACKER. This computer also uses Windows-based as the OS and researcher packet
capture tools named Wireshark has been installed. Wireshark is a freeware tool that can be used as the
network analyzer for Unix and Windows [13, 14].
INPUT DATA. This research is using an application named “Sistem eMohon” from Pejabat
Setiausaha Kerajaan Negeri Perlis. The “eMohon” is an application system that requires every
Applied Science and Technology, Vol.1 No.1 2017 http://www.estech.org 213
Tap-Proof Encryption Using Perfect Forward Secrecy In Web Browser
administrator from each department to fill-in the detail of a new staff as to get “eHadir” thumb print
registration and state official email application [15]. “eHadir” is an application system that record
staff attendance to the office.

Figure 3. Step Configuring PFS in the Web Server

Based on Figure 3, the web server, client and attacker are connected to the switch. When the
client fill in the online form to the web server, an attacker attempts to tap the communication line
between client and web server.

Figure 4. Step Configuring PFS in the Web Server

Figure 4 shows that the front page of “eMohon”. This front page is used as the input page of
the experiment of PFS and non-PFS method.

4. Results and Discussion

This part discusses the result and analysis obtained from the experiment section (Section 6).
The result and analysis include both in the web server and the web browser side. Based on Figure 5
and 6, it is shown that the web browser enables with PFS or without PFS, respectively. Figure 6
shows that the web based application equipped with an encrypted connection. Moreover, when the
Technical Detail in web browser shows the encrypted connection status, it is mean that the web
browser is surfing using the PFS web server. In this case, it will show the encryption method weather
it is using 128 bit or 256 bit keys. Other information stated are protocol and algorithm.

Applied Science and Technology, Vol.1 No.1 2017 http://www.estech.org 214

Tap-Proof Encryption Using Perfect Forward Secrecy In Web Browser

Figure 5. Application without PFS Enable.

Figure 6. Application with PFS Enable.

Figure 7. Data capture by Wireshark without PFS

Applied Science and Technology, Vol.1 No.1 2017 http://www.estech.org 215

Tap-Proof Encryption Using Perfect Forward Secrecy In Web Browser

Figure 8. . Data capture by Wireshark without PFS

Based on Figure 7 and 8, there are shows that are differences between data capture by
Wireshark using FPS and not using PFS. Figure 7 shows the plaintext where the connection not
encrypted with the PFS concept while in Figure 8. It is shown the ciphertext (this gives proof that PFS
is applied). From Figure 8 also, it shows that the connection were encrypted with the PFS concept that
using Elliptic curve Diffie-Hellman joint RSA cryptosystem, 128 bit keys and using Transport Layer
Security 1.2 (TLS 1.2) protocol.
The testing for searching the string “Fauzi” has been executed. From the searching, there is no
string found in the PFS connection. However, “Fauzi” string has been found in non-PFS connection.
This proof the concept that the PFS encrypts the connection. Table 1 shows the details.

Table 1. Result when searching a packet string “Fauzi”

PFS Non-PFS

Data

5. Conclusion
From the real experiment testbed using input data “eMohon”, it is proven that this research has
successfully shown that the data is encrypted while using PFS. Otherwise the data still can read by the

Applied Science and Technology, Vol.1 No.1 2017 http://www.estech.org 216

Tap-Proof Encryption Using Perfect Forward Secrecy In Web Browser
attacker if web server does not configure with the PFS. By providing communication with PFS, this
will solve the eavesdropping issue in the Internet.

6. Future Work
Based on the literature review during executing this research, it is found that some weakness and
opportunity to expand PFS in the future is obtained. First, a method of PFS will be used in mobile
environment can be proposed. This is because the communication using mobile devices is more prone
to be tapped [9]. Secondly, the proposed method will also suggest to test using large scale of network
like Wide Area Network (WAN). This will give more proof of concept of the PFS. Thirdly, Ivan
Ristic from Security Labs found that PFS using DHE significantly slower than other concept [17]. By
referring to this weakness, this research suggests that in future work, we need another solution to
make PFS faster than now.

Acknowledgement. The authors would like to thank InterNetWorks Lab, School of Computing,
Universiti Utara Malaysia, Department of Computer Science, Faculty of Engineering, Universitas
Riau-Indonesia, Department of Information Systems, University of Malaya-Malaysia, Pejabat
Setiausaha Kerajaan Negeri Perlis-Malaysia, Politeknik Sultan Abdul Halim Mu’adzam Shah, Bandar
Darulaman, Kedah-Malaysia.

References
[1] Yuji Suga, “SSL/TLS servers status survey about enabling forward secrecy”, Internet Initiative Japan
Inc., 2014.
[2] Berry Schoenmakers, “Cryptographic Protocols”, Dept of Mathematics and Comp. Science, Technical
University of Eindhoven, Netherland, 1 February 2015.
[3] Susmita Mandal, Sujata Mohanty, “Multi-Party Key-Exchange with Perfect Forward Secrecy”, Dept
of Comp. Science & Engineering National Institute of Technology Rourkela India, 2014.
[4] Albert Fruz, “BEAST vs CRIME Attack”, InfoSec Institute, 14 October 2013.
[5] Fred Kerby, “Understanding Encryption”, The SANS Institute,
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201107_en.pdf, July 2011.
[6] Gerald J. Popek and Charles S Kline, “Encryption and Secure Computer Networks”, University of
California, Los Angeles, 1979.
[7] G. Julius Ceasar, John F. Kennedy, “Security Engineering : A guide to Building Dependable
Distributed Systems”, University of Cambridge.
[8] Shyam P. Joy and Priya Chandran, “A Formal Framework for Comparing Group Key Agreement
Protocols with Partial Forward Secrecy”, National Institute of Technology Calicut, Kerala, India,
2010.
[9] Chin-Chen Chang, Shih-Yi Lin and Jen-Ho Yang, “Efficient User Authentication and Key
Establishment Protocols with Perfect Forward Secrecy for Mobile Devices”, IEEE Ninth International
Conference on Computer and Information Technology, 2009.
[10] Zhang Jianhong and Chen Hua, “An Efficient Identity-based Authenticated Email Protocol With
Perfect Forward Secrecy”, North China University of Technology (NCUT) Beijing China, 2010.
[11] Vineeta Tiwari, Neha Chandel and Anshul Jain, “Securing Email Applications from Various Cyber
Issue”, International Journal of Emerging Technology and Advanced Engineering, 2013.
[12] Lin-Shung Huang, Shrikant Adhikarla, Dan Boneh and Collin Jackson, “An Experimental Study of
TLS Forward Secrecy Deployments”, Carnegie Mellon University, Microsoft and Stanford University,
2014.
[13] Chrit Sanders, “Practical Packet Analysis”, No Starch Press Inc, 2011.
[14] “Wireshark tutorial”, George Mason University, http://cs.gmu.edu/.../ISA.../Wireshark-Tutorial.pdf.
[15] eMohon application, Pejabat Setiausaha Kerajaan Negeri Perlis, http://emohon.perlis.gov.my
[16] Giuseppe A. Di Lucca, Anna Rita Fasolino, “Testing Web-based application: The state of the art and
future trends”, University of Sannio, Italy, 12 April 2006.
[17] Ivan Ristic, “SSL Labs: Deploying Forward Secrecy”,
https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy,
Security Labs, 5 August 2013.

Applied Science and Technology, Vol.1 No.1 2017 http://www.estech.org 217