Forward secrecy

In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS^[1]) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. The key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data is derived from some other keying material, then that material must not be used to derive any more keys. In this way, compromise of a single key permits access only to data protected by that single key.

History

Forward secrecy was originally introduced by Whitfield Diffie, Paul van Oorschot, and Michael James Wiener. It used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys.^[2]

Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.^[3]

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes (for two-party forward secrecy properties compare below 2WIPFS: "2-Way-Instant-Forward-Perfect-Secrecy").

Perfect forward secrecy (PFS)

A public-key system demonstrates a property referred to as perfect forward secrecy (PFS) when it:

generates random public keys per session for the purposes of key agreement, and
does not use any sort of deterministic algorithm in doing so.

This means that the compromise of one message cannot lead to the compromise of others, and also that there is not a single secret value which can lead to the compromise of multiple messages.

This is not to be confused with the concept of perfect secrecy demonstrated by one-time pads, where the ciphertext reveals no information whatsoever and appears completely random.

Attacks

Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy (including perfect forward secrecy) cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing perfect forward secrecy.

Terminology

Cryptographer Daniel J. Bernstein criticized the use of the phrase "perfect forward secrecy", arguing that it gives people the wrong impression of the security benefits that forward secrecy offers, and suggesting that the phrase "key erasure" better describes the concept.^[4]

Protocols

Forward secrecy is an optional feature in IPsec (RFC 2412).
SSH
Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, provides forward secrecy as well as deniable encryption.
In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSS) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available. In theory, TLS can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer forward secrecy or only provide it with very low encryption grade.^[5] OpenSSL supports forward secrecy using elliptic curve Diffie–Hellman since version 1.0,^[6] with a computational overhead of approximately 15%.^[7]

Use

Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services.^[6] Since November 2013, Twitter provided forward secrecy with TLS to its users.^[8] Wikis hosted by the Wikimedia Foundation have all provided forward secrecy to users since July 2014.^[9]

Facebook reported as part of an investigation into email encryption that, as of May 2014, 74% of hosts that support STARTTLS also provide Perfect Forward Secrecy.^[10] As of April 2015, 26.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.^[11]

References

↑ IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://grouper.ieee.org/groups/1363/
↑ Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges". Designs, Codes and Cryptography 2 (2): 107–125. doi:10.1007/BF00124891. Retrieved 2013-09-07.
↑ Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review 26 (5): 5–26. doi:10.1145/242896.242897. CiteSeerX: 10.1.1.81.2594.
↑ MinimaLT: Minimal-latency Networking Through Better Security
↑ Discussion on the TLS mailing list in October 2007
↑ 6.0 6.1 "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05.
↑ Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05.
↑ Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter". Twitter. Twitter. Retrieved 25 November 2013.
↑ "Tech/News/2014/27 - Meta". Wikimedia Foundation. 2014-06-30. Retrieved 30 June 2014.
↑ "The Current State of SMTP STARTTLS Deployment". Retrieved 7 June 2014.
↑ As of April 5, 2015. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2015-04-08.

External links

RFC 2412 IETF, H. Orman. The OAKLEY Key Determination Protocol
Forward-secure-survey An overview
Forward Secrecy can block the NSA from secure web pages, but no one uses it Computerworld June 21, 2013
SSL: Intercepted today, decrypted tomorrow Netcraft June 25, 2013
Deploying Forward Secrecy SSL Labs June 25, 2013
SSL Labs test for web browsers
SSL Labs test for web servers

SSL and TLS

Protocols

Technology

Certificate authority
Certificate revocation list
DNS Certification Authority Authorization
DNS-based Authentication of Named Entities
Extended Validation Certificate
HTTP Strict Transport Security
HTTP Public Key Pinning
OCSP stapling
Perfect forward secrecy
Public key certificate
Public-key cryptography
Public key infrastructure
Root certificate
Server Name Indication

History

Implementations

Notaries

Vulnerabilities

Theory	Man-in-the-middle attack Padding oracle attack Lucky Thirteen attack

Cipher	Bar mitzvah attack

Protocol	BEAST BREACH CRIME POODLE (in regards to SSL 3.0)

Implementation	Certificate authority compromise Random number generator attacks FREAK goto fail Heartbleed POODLE (in regards to TLS 1.0)

Forward secrecy

History

Perfect forward secrecy (PFS)

Attacks

Terminology

Protocols

Use

See also

References

External links