Perfect forward secrecy

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is a stub and thus not approved.
Main Article
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

In cryptography, perfect forward secrecy or PFS is a property of communication protocols that prevent retroactive compromise of communications.

For example, assume Alice and Bob have ongoing communication that involves both session keys which change fairly often and one or more long-term keys which change less often. The long-term keys might be public keys used for authentication, or shared secrets. Further assume an enemy who has an archive of A and B's messages over some time period and who has just now succeeded in compromising a long-term key. Clearly such a compromise allows him to attack the protocol with the goal of obtaining future session keys and reading future messages.

The interesting question is whether compromise of a long-term key also allows him to obtain old session keys and read messages in his archive. Perfect forward secrecy is a guarantee that this is impossible.

In some contexts, PFS guarantees more than that. In IPsec, for example, PFS is an option which may be set for connections. It not only guarantees that an enemy who breaks the authentication cannot read old messages, but also that he cannot automatically read future messages. Every time the session keys are changed, he must do another man-in-the-middle attack to obtain the new keys. This does not make future messages secure — no IPsec system relying on compromised authentication data can be secure — but it does make attacks more expensive and may improve the chance that they will be noticed and blocked.