In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.
Forward secrecy has been used as a synonym for perfect forward secrecy [1], since the term perfect has been controversial in this context. However, at least one reference [2] distinguishes perfect forward secrecy from forward secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.
Perfect Forward Secrecy (PFS) refers to the notion that compromise of a single key will permit access to only data protected by a single key. For PFS to exist the key used to protect transmission of data MUST NOT be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material MUST NOT be used to derive any more keys.
Contents |
PFS was originally introduced [3] by Diffie, van Oorschot, and Wiener and used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys. PFS requires the use of public key cryptography, and cannot be achieved with symmetric cryptography alone.
PFS has also been used [4] to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.
Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes.
|