Forward secrecy

From Wikipedia, the free encyclopedia

In cryptography, forward secrecy (also known as perfect forward secrecy or PFS[1]) is a property of key-agreement protocols that ensures that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future. The key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material must not be used to derive any more keys. Thus, compromise of a single key will permit access only to data protected by a single key.

More specifically :

  • Forward secrecy is obtained by generating new key material for each session, that is generating an ephemeral key to be used for all messages of a conversation (e.g. by using a Diffie–Hellman key exchange): in a worst-case scenario (such as arrest with live forensics performed on the device to retrieve the current ephemeral key in-memory), an adversary could only retroactively decode the ciphertext for the messages exchanged during that conversation, but none from the previous conversations.
  • Perfect forward secrecy is obtained by continuously ratcheting the key material during each session, that is generating a new ephemeral key for each message of a conversation (e.g. by piggy-backing new Diffie–Hellman key exchanges on them): in the same worst-case scenario, an adversary could retroactively decode only the two last messages exchanged during that conversation, and still none from the previous conversations.

History

Forward secrecy was originally introduced by Whitfield Diffie, Paul van Oorschot, and Michael James Wiener. It used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys.[2]

Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.[3]

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes.

Perfect Forward Secrecy

Public-key systems which generate random public keys per session for the purposes of key agreement which are not based on any sort of deterministic algorithm demonstrate a property referred to as perfect forward secrecy. This means that the compromise of one message cannot lead to the compromise of others, and also that there is not a single secret value which can lead to the compromise of multiple messages.

This is not to be confused with the concept of perfect secrecy demonstrated by one-time pads, where the ciphertext reveals no information whatsoever and appears completely random.

Attacks

Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy (including perfect forward secrecy) cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and that forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy. It should be noted that such attacks are purely theoretical.

Protocols

Use

Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google has provided forward secrecy with TLS by default to users of its Gmail service, along with Google Docs and encrypted search among other services.[7] Since November of 2013, Twitter has provided forward secrecy with TLS to users of its service.[8] As of February 2014, 5.3% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to web browsers.[9]

See also

Notes

  1. IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://grouper.ieee.org/groups/1363/
  2. Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges". Designs, Codes and Cryptography. 2 pages=107–125 (2): 107. doi:10.1007/BF00124891. Retrieved 2013-09-07. 
  3. Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review 26 (5): 5–26. doi:10.1145/242896.242897. Retrieved 2013-09-07. 
  4. Discussion on the TLS mailing list in October 2007
  5. "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05. 
  6. Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05. 
  7. "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05. 
  8. Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter". Twitter. Twitter. Retrieved 25 November 2013. 
  9. As of February 03, 2014. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2014-02-07. 

External links

This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.