Mitigating TLS compromise with ECDHE and SRP
share
The paper reviews an implementation of an additional encrypted tunnel within TLS to further secure and authenticate the traffic of personal information between ProtonMail's frontends and the backend, implementing its key exchange, symmetric packet encryption, and validation. Technologies such as Secure Remote Password (SRP) and the Elliptic Curves Diffie Hellman Ephemeral (ECDHE) exchange are used for the key exchange, verifying the public parameters through PGP signatures. The data is then transferred encrypted with AES-128-GCM. This project is meant to integrate TLS security for high security data transfer, offering a flexible model that is easy to implement in the frontends by reusing part of the standard already existing in the PGP libraries.
READ FULL TEXT