[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal: Perfect forward secrecy a MUST

To: rubin@faline.bellcore.com
Subject: Re: Proposal: Perfect forward secrecy a MUST
From: Ashar.Aziz@eng.sun.com (Ashar Aziz)
Date: Wed, 14 Dec 94 14:50:06 PST
Cc: ipsec@ans.net, yacov@faline.bellcore.com


>From rubin@faline.bellcore.com Wed Dec 14 13:54:55 1994
>Has anyone proposed any protocols for "perfect forward
>secrecy"? Is this concept any different than protocols
>that are resistant to known-key attacks? Are we worried
>about the compromise of both master keys of communicating
>parties, or a bunch of session keys being compromised not
>leading to compromise of all the others?

I believe the issue is primarily one of which keys does
an intruder learn, and what does that allow him to
determine about past encrypted traffic.

If a scheme has long-term keys (a common though not
necessary feature in many key-management protocols)
then perfect forward secrecy means that compromise of 
both sides long term keys should not allow an intruder to
learn encrypted traffic sent prior to the key compromise.

This assumes that an intruder has recorded all the
encrypted traffic, and once he/she learns the long term
keys, is in a position to see if that helps him/her
decrypt that past recorded encrypted traffic.

I dont believe that, at least the way I use the term
perfect forward secrecy, or the way Whit Diffie presented 
this in his 1990 Paris Securicom paper, that compromise of 
temporary traffic keys (e.g session keys or packet keys) 
is what is  being referred to here.

I should point out that none of this either mandates
session oriented key management or even DH. It just
so happens that the only practical known ways of doing
this involve using session oriented DH.

However, if you consider a public key cryptosystem
where key-pair generation is an efficient operation,
(RSA does not qualify), then one could generate 
ephemeral public-private key pairs of this cryptosystem, 
and use that to communicate session keys.

This is essentially the reason why DH is usually
used, because public-private key-pair generation
is an efficient operation for DH (requires a
single exponentiation) as opposed to key-pair 
generation for cryptosystems like RSA (where key-pair 
generation is computationally prohibitive for use 
in this manner).

This does not mean that public key cryptosystems
which have a low-overhead for key-pair generation will
not eventually be discovered. Such cryptosystems will 
make good candidates for use in conjunction with
perfect forward secrecy protocols.

>Is there a particular protocol that is
>under consideration that meets all the requirements, or is
>everyone arguing about the concept in general?

I believe a number of such protocols were presented at
the San Jose IETF meeting.

Ashar.

Prev by Date: Re: Proposal: Perfect forward secrecy a MUST
Next by Date: Re: Proposal: Perfect forward secrecy a MUST
Prev by thread: Re: Proposal: Perfect forward secrecy a MUST
Next by thread: Re: Proposal: Perfect forward secrecy a MUST
Index(es):
- Main
- Thread