What is the difference between DH and DHE?

Diffie-Hellman is an asymmetric algorithm, with a public key and a private key.

In a "DH_RSA" cipher suite, the server's "permanent" key pair is a DH key pair. The public key is in the server's certificate. That certificate, like any certificate, has been signed by a CA, and that CA uses a RSA key pair (that's what the 'RSA' means in "DH_RSA").

In a "DHE_RSA" cipher suite, the server's permanent key pair has type RSA; the RSA public key is in the server's certificate (the cipher suite says nothing about the type of key used by the issuing CA, but it is usually RSA as well). When a client connects, the server generates a transient DH key pair and sends the public key to the client as a ServerKeyExchange message; the server signs that message with its permanent RSA private key.

Forward secrecy is a property defined relatively to ulterior theft of server secrets. "DHE_RSA" cipher suites provide forward secrecy because the actual key exchange secret (the DH private key) is transient, thus not saved by the server -- if the server does not save that key on its disk, then it should be immune to ulterior theft. Conversely, "DH_RSA" implies that the DH private key is stored somewhere on the server's hard disk, and if that key is stolen, then past recorded session can be decrypted.

One must note that some servers will keep they DH key pairs around for some time, usually in RAM; they don't make a new DH key pair for each client. This behaviour has some performance benefits but slightly weakens the forward secrecy, by definition. This really depends on the model you use to define "ulterior theft": are you talking about retrieving an old hard disk in a dumpster, or a malware that inspect RAM contents?


But I was not able to understand why simple RSA_DH does not support forward secrecy.

Lets say Alice is the client and Bob is the server and use the variable names from your diagram.

In non ephemeral dh b is part of the certificate which means B is a long term secret. Eve records the session including the value of a.

Some time later Eve gets hold of B, maybe she hacked the server, maybe she called her friends in law enforcement who forced the server admin to hand it over. Eve can then calculate aB and hence calculate the session secret and decrypt the session.

With ephemeral dh B is only a short term secret. So Eve's later compromise of the server is far less likely to reveal it.