*** Welcome to piglix ***

Forward secrecy


In cryptography, forward secrecy (FS; also known as perfect forward secrecy) is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of secret keys or passwords. If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.

The term "perfect forward secrecy" was coined by C. G. Günther in 1990 and further discussed by Whitfield Diffie, Paul van Oorschot, and Michael James Wiener in 1992 where it was used to describe a property of the .

Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes (for two-party forward secrecy properties compare below 2WIPFS: "2-Way-Instant-Forward-Perfect-Secrecy").

A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm. This means that the compromise of one message cannot compromise others as well, and there is no one secret value whose acquisition would compromise multiple messages. This is not to be confused with the perfect secrecy demonstrated by one-time pads: when it is used properly, the one-time pad involves multiple parties agreeing on a set of disposable keys by communicating it fully in private—without a formalized key agreement system—and then using each key for one message only.

Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.


...
Wikipedia

...