Perfect forward secrecy: Difference between revisions
imported>Sandy Harris (New page: {{subpages}} In cryptography, '''perfect forward secrecy''' or '''PFS''' is a property of communication protocols that prevent retroactive compromise of communications. For example, ...) |
John Leach (talk | contribs) m (Text replacement - "{{subpages}}" to "{{PropDel}}<br><br>{{subpages}}") |
||
(3 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{subpages}} | {{PropDel}}<br><br>{{subpages}} | ||
In [[cryptography]], '''perfect forward secrecy''' or '''PFS''' is a property of communication protocols that prevent retroactive compromise of communications. | In [[cryptography]], '''perfect forward secrecy''' or '''PFS''' is a property of communication protocols that '''prevent retroactive compromise''' of communications. | ||
For example, assume [[Alice and Bob]] have ongoing communication that involves both [[session key]]s which change fairly often and one or more long-term keys which change less often. The long-term keys might be [[public key]]s used for authentication, or shared secrets. Further assume an enemy who has an archive of A and B's messages over some time period and who has | For example, assume [[Alice and Bob]] have ongoing communication that involves both [[session key]]s which change fairly often and one or more long-term keys which change less often. The long-term keys might be [[public key]]s used for authentication, or shared secrets. Further assume an enemy who has an archive of A and B's messages over some time period and who has just now succeeded in compromising a long-term key. Clearly such a compromise allows him to attack the protocol with the goal of obtaining future session keys and reading future messages. | ||
The interesting question is whether compromise of a long-term key also allows him to obtain old session keys and read messages in his archive. Perfect forward secrecy is a guarantee that this is impossible. | The interesting question is whether compromise of a long-term key also allows him to obtain old session keys and read messages in his archive. Perfect forward secrecy is a guarantee that this is impossible. | ||
In some contexts, PFS guarantees more than that. In [[IPsec]], for example, PFS is an option which may be set for connections. It not only guarantees that an enemy who breaks the authentication cannot read old messages, but also that he cannot automatically read future messages. Every time the session keys are changed, he must do another [[man-in-the-middle attack]] to obtain the new keys. This does not make future messages secure — no IPsec system relying on compromised authentication data can be secure — but it does make attacks more expensive and may improve the chance that they will be noticed and blocked. |
Latest revision as of 04:49, 8 April 2024
This article may be deleted soon. | ||
---|---|---|
In cryptography, perfect forward secrecy or PFS is a property of communication protocols that prevent retroactive compromise of communications. For example, assume Alice and Bob have ongoing communication that involves both session keys which change fairly often and one or more long-term keys which change less often. The long-term keys might be public keys used for authentication, or shared secrets. Further assume an enemy who has an archive of A and B's messages over some time period and who has just now succeeded in compromising a long-term key. Clearly such a compromise allows him to attack the protocol with the goal of obtaining future session keys and reading future messages. The interesting question is whether compromise of a long-term key also allows him to obtain old session keys and read messages in his archive. Perfect forward secrecy is a guarantee that this is impossible. In some contexts, PFS guarantees more than that. In IPsec, for example, PFS is an option which may be set for connections. It not only guarantees that an enemy who breaks the authentication cannot read old messages, but also that he cannot automatically read future messages. Every time the session keys are changed, he must do another man-in-the-middle attack to obtain the new keys. This does not make future messages secure — no IPsec system relying on compromised authentication data can be secure — but it does make attacks more expensive and may improve the chance that they will be noticed and blocked. |