Gourt Home::Gourt :: Perfect forward secrecy
In an authenticated key agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that disclosure of the long-term secret keying material that is used to derive an agreed ephemeral key does not compromise the secrecy of agreed keys from earlier runs.
Forward secrecy has been used as a synonym for perfect forward secrecy IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://grouper.ieee.org/groups/1363/, since the term perfect has been controversial in this context. However, at least one reference Telecom Glossary 2000, T1 523-2001, Alliance for Telecommunications Industry Solutions (ATIS) Committee T1A1. http://www.atis.org/tg2k/_perfect_forward_secrecy.html distinguishes perfect forward secrecy from forward secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.
History
PFS was originally introduced W. Diffie, P.C. van Oorschot & M. Wiener. Authentication and Authenticated Key Exchanges. Designs Codes and Cryptography, 2, 107-125, 1992. by Diffie, van Oorschot, and Wiener and used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys. PFS requires the use of public key cryptography, and cannot be achieved with symmetric cryptography alone.
PFS has also been used D. Jablon. Strong Password-Only Authenticated Key Exchange. Computer Communication Review, ACM SIGCOMM, vol. 26, no. 5, pp. 5-26, October 1996. to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.
PFS is an optional feature in IPsec (RFC 2412).
Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes.
Software
- Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, providing perfect forward secrecy as well as deniable encryption.
Notes
References
- H. Orman. The OAKLEY Key Determination Protocol. IETF RFC 2412.
"Perfect forward secrecy"