Perfect Forward Secrecy in TLS Explained

Santosh Kodicherla thanks Santosh!!

@@hnasr One request is, video on 0-rtt which is feature in tls1.3. If you can explain that with example. That would be awesome. I see your videos on tls1.3 coming one of top videos when i search for tls1.3 handshake. I am sure lot of people would like that too.

You still want the private key (of the public key found in the certificate) on the server because it will be needed to prove that server owns that certificate (as the certificate is public - you don't want anyone just copying it onto their server).
Also, generally the server will use that private key to sign a hash of the handshake transcript, to prove nothing has been tampered with along the way. (that's a better approach than just signing an arbitrary string for proof).

In DH-Ephemeral, the long-term public/private key pair is always the same on the server, but is just used for authentication - that is to prove the server really is who they say they (i.e., they own their certificate) during a connection with a new client.
Both client and server will generate their own new private keys for the DH exchange - those only last during the handshake and are used to derive a shared, symmetric key which is then used for all messages going forward.
So the point of Perfect Forward Secrecy (PFS) thru the use of the "E" (Ephemeral) in DHE is to ensure that the compromise of the long-term private key held on the server has no effect on decrypting (presumably saved) conversations, because that long-term private key (for authentication) was NOT used to derive any encryption keys for client-server communcation.

Antonis Misirgis thanks Antonis, you were right your question is deep. My understanding is both client the server generates a private/public key . The client combines the public+private key and sends it (unbreakable combo) the server receives this and adds its private key to the combo to generate the final symmetric key. The server now combines its private key and public key and return it to the client (unbreakable combo) the client now takes that combo and adds its private key to generate the symmetric key.
Thats my understanding hope it makes sense. I am not familiar with the actual math unfortunately behind it.

In TLS 1.3 there are a bunch of pre-negotiated groups for DH (whether finite fields or elliptic curves), and the client would pick one of them - see RFC 7919. Servers aren't allowed to come up with custom ones anymore in 1.3
But having pre-defined (and known to be secure) 'g' and 'p' is fine. The client then just chooses a secret 'a' and the server will choose it's secret 'b'. Client sends A = g^a mod p, Server sends B = g^b mod p. Client calculates S = B^a mod p, which is equal to the server's calculation of S = A^b mod p.
Final shared symmetric key is then basically S (not exactly - but derived easily from it).
The private keys of 'a' and 'b' are completely separate from the long-term private key held on the server (which corresponds to the public key in the certificate). Unfortunately the term 'private key' is overloaded here - one is long-term and used for authentication with every connection, the other is short-term / ephemeral, and is created in order to derive (as shown above) a unique symmetric key for that session's communications.

Excellent question! The public key in the cert becomes less and less relevant and only used for identity. The server also encrypts the DH parameters in the server hello using its private key for additional security this way the client will use the public key to decrypt the server hello to complete the handshake.

@@hnasr Interesting thing is even if the identity is broken, we dont really care because Diffie Hellman is independent of the cert. Hence we dont really care if someone hijacks the cert which begs the question, why not recieve the cert completely?
To put it differently for TLS handshake, we stop using the cert. Client picks keys, server picks keys. exchange the keys using Diffie Hellman and continue the communication?

No, the certificate is extremely important. Without it, you can do what is called a man in the middle attack.
If an attacker could intercept the packets, they could pretend to be the server and establish a shared key with the client. Then when the client sends a request it would go to the attacker. The attacker then pretends to be a client and establishes another shared key with the real server. And just like that, all messages go through the attacker and he can read every message, even change them.
The server prevents this by signing it's response (step two of the diffie Hellman handshake) with the private key. The attacker doesn't have this key, so he can't provide the client with a valid handshake response. If the "server hello" is not signed/encrypted by the private key, then the entire thing is broken.
To put it another way, it doesn't matter how good your encryption is if you have no way to prove who you are actually talking to.

There are two different public/private key pairs the server deals with during a DHE scenario. One is the ephemeral set, generated at time of connection, used only for the encryption of that session. The other is the long term pair, and is used for authentication: the public key will be in the certificate, and the private key will sign the whole set of handshake messages.
Certificates are still needed because because an encrypted conversation isn't very useful if you don't really know who it is on the other end of your connection.
Edit: Didn't see Andrew's post above mine, oops! He answered this already =)