Perfect forward secrecy

From Wikipedia, the free encyclopedia

In an authenticated key agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that disclosure of the long-term secret keying material that is used to derive an agreed ephemeral key does not compromise the secrecy of agreed keys from earlier runs.

Forward secrecy has been used as a synonym for perfect forward secrecy ^[1], since the term perfect has been controversial in this context. However, at least one reference ^[2] distinguishes perfect forward secrecy from forward secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.

Contents 1 History 2 See also 3 Software 4 Notes 5 References

[edit] History

PFS was originally introduced ^[3] by Diffie, van Oorschot, and Wiener and used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys. PFS requires the use of public key cryptography, and cannot be achieved with symmetric cryptography alone.

PFS has also been used ^[4] to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.

PFS is an optional feature in IPsec (RFC 2412).

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes.

[edit] See also

• Diffie-Hellman key exchange is a cryptographic protocol that provides perfect forward secrecy.

[edit] Software

• Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, providing perfect forward secrecy as well as deniable encryption.

[edit] Notes

1. ^ IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://grouper.ieee.org/groups/1363/
2. ^ Telecom Glossary 2000, T1 523-2001, Alliance for Telecommunications Industry Solutions (ATIS) Committee T1A1. http://www.atis.org/tg2k/_perfect_forward_secrecy.html
3. ^ W. Diffie, P.C. van Oorschot & M. Wiener. Authentication and Authenticated Key Exchanges. Designs Codes and Cryptography, 2, 107-125, 1992.
4. ^ D. Jablon. Strong Password-Only Authenticated Key Exchange. Computer Communication Review, ACM SIGCOMM, vol. 26, no. 5, pp. 5-26, October 1996.

[edit] References

1. H. Orman. The OAKLEY Key Determination Protocol. IETF RFC 2412.