Perfect forward secrecy
From Wikipedia, the free encyclopedia
In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.
Forward secrecy has been used as a synonym for perfect forward secrecy [1], since the term perfect has been controversial in this context. However, at least one reference [2] distinguishes perfect forward secrecy from forward secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.
Contents |
[edit] History
PFS was originally introduced [3] by Diffie, van Oorschot, and Wiener and used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys. PFS requires the use of public key cryptography, and cannot be achieved with symmetric cryptography alone.
PFS has also been used [4] to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.
Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes.
[edit] See also
- Diffie-Hellman key exchange is a cryptographic protocol that provides perfect forward secrecy.
[edit] Protocols
- PFS is an optional feature in IPsec (RFC 2412).
- SSH.
- Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, providing perfect forward secrecy as well as deniable encryption.
- In theory, Transport Layer Security can choose appropriate ciphers since SSLv3, but in everyday practice many implementations refuse to offer PFS or only provide it with very low encryption grade. [5]
[edit] Notes
- ^ IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://grouper.ieee.org/groups/1363/
- ^ Telecom Glossary 2000, T1 523-2001, Alliance for Telecommunications Industry Solutions (ATIS) Committee T1A1. http://www.atis.org/tg2k/_perfect_forward_secrecy.html
- ^ Diffie, Whitfield; Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges". Designs, Codes and Cryptography (2). doi:.
- ^ Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review 26 (5): 5–26. doi:.
- ^ Discussion on the TLS mailing list in October 2007
[edit] References
- H. Orman. The OAKLEY Key Determination Protocol. IETF RFC 2412.
 |
This cryptography-related article is a stub. You can help Wikipedia by expanding it. |
