Forward secrecy

From Infogalactic: the planetary knowledge core
(Redirected from Perfect forward secrecy)
Jump to: navigation, search

In cryptography, forward secrecy (FS; also known as perfect forward secrecy[1]) is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys.[2] Forward secrecy protects past sessions against future compromises of secret keys or passwords.[3] If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.


The term "perfect forward secrecy" was coined by C. G. Günther in 1990[4] and further discussed by Whitfield Diffie, Paul van Oorschot, and Michael James Wiener in 1992[2] where it was used to describe a property of the Station-to-Station protocol.[5]

Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.[6]

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes (for two-party forward secrecy properties compare below 2WIPFS: "2-Way-Instant-Forward-Perfect-Secrecy").

Forward secrecy

A public-key system has the property of forward secrecy if it generates one random public key per session to complete a key agreement, without using a deterministic algorithm. This means that the compromise of one message cannot compromise others as well, and there is no one secret value whose acquisition would compromise multiple messages. This is not to be confused with the perfect secrecy demonstrated by one-time pads: when it is used properly, the one-time pad involves multiple parties agreeing on a set of disposable keys by communicating it fully in private—without a formalized key agreement system—and then using each key for one message only.


Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.

Weak perfect forward secrecy

Weak perfect forward secrecy (wPFS) is the weaker property whereby when agents' long-term keys are compromised, the secrecy of previously established session-keys is guaranteed, but only for sessions in which the adversary did not actively interfere. This new notion, and the distinction between this and forward secrecy was introduced by Hugo Krawczyk in 2005.[7][8] This weaker definition implicitly requires that full (perfect) forward secrecy maintains the secrecy of previously established session-keys even in sessions where the adversary did actively interfere, or attempted to act as a man in the middle.



Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services.[10] Since November 2013, Twitter provided forward secrecy with TLS to its users.[18] Wikis hosted by the Wikimedia Foundation have all provided forward secrecy to users since July 2014.[19]

Facebook reported as part of an investigation into email encryption that, as of May 2014, 74% of hosts that support STARTTLS also provide Forward Secrecy.[20] As of May 2016, 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.[21]

See also


  1. IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000.
  2. 2.0 2.1 Menzies, Alfred; van Oorscot, Paul C.; Vanstone, SCOTT (1997). Handbook of Applied Cryptography. CRC Pres. ISBN 0-8493-8523-7. 
  3. Wu, Thomas (1997-11-11). "The Secure Remote Password Protocol". Internet Society Symposium on Network and Distributed System Security. 
  4. Gunther, C. G. (1990). "An identity-based key-exchange protocol". Advances in Cryptology EUROCRYPT '89 (LNCS 434): 29–37. 
  5. Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges" (PDF). Designs, Codes and Cryptography. 2 (2): 107–125. doi:10.1007/BF00124891. Retrieved 2013-09-07. 
  6. Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review. 26 (5): 5–26. doi:10.1145/242896.242897. CiteSeerX: 
  7. Krawczyk, Hugo (2005). HMQV: A High-Performance Secure Diffie-Hellman Protocol. Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. 3621. pp. 546–566. ISBN 978-3-540-28114-6. doi:10.1007/11535218_33. 
  8. Cremers, Cas; Feltz, Michèle (2015). "Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal" (PDF). Designs, Codes and Cryptography. Springer US. 74 (1): 183–218. doi:10.1007/s10623-013-9852-1. Retrieved 8 December 2015. 
  9. Discussion on the TLS mailing list in October 2007
  10. 10.0 10.1 "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05. 
  11. Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05. 
  12. 12.0 12.1 Unger, Nik; Dechand, Sergej; Bonneau, Joseph; Fahl, Sascha; Perl, Henning; Goldberg, Ian; Smith, Matthew (17–21 May 2015). "SoK: Secure Messaging" (PDF). 2015 IEEE Symposium on Security and Privacy. San Jose, CA: Institute of Electrical and Electronics Engineers: 241. doi:10.1109/SP.2015.22. Retrieved 4 December 2015. 
  13. Metz, Cade (5 April 2016). "Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People". Wired. Condé Nast. Retrieved 5 April 2016. 
  14. Seals, Tara (17 September 2015). "G DATA Adds Encryption for Secure Mobile Chat". Infosecurity Magazine. Reed Exhibitions Ltd. Retrieved 24 November 2015. 
  15. "What is Silent Phone?". Silent Circle. 17 September 2015. Archived from the original on 4 March 2016. Retrieved 8 March 2016. 
  16. Armasu, Lucian (3 November 2015). "TextSecure, RedPhone Private Communications Apps Now Combined Into 'Signal' App". Tom's Hardware. Purch Group, Inc. Retrieved 8 March 2016. 
  17. Kahn, Jeremy (10 March 2016). "Amid Apple's FBI fight, app developers are ramping up encryption". Chicago Tribune. Tribune Publishing. Retrieved 12 March 2016. 
  18. Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter". Twitter. Twitter. Retrieved 25 November 2013. 
  19. "Tech/News/2014/27 - Meta". Wikimedia Foundation. 2014-06-30. Retrieved 30 June 2014. 
  20. "The Current State of SMTP STARTTLS Deployment". Retrieved 7 June 2014. 
  21. As of May 5, 2016. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2016-05-13. 

External links