IETF Logo Mail Archive

Re: [saag] Perfect Forward Secrecy vs Forward Secrecy

Nico Williams <nico@cryptonector.com> Wed, 18 March 2020 16:47 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD863A1889 for <saag@ietfa.amsl.com>; Wed, 18 Mar 2020 09:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3nb7W_z0YkEY for <saag@ietfa.amsl.com>; Wed, 18 Mar 2020 09:47:31 -0700 (PDT)
Received: from caracal.birch.relay.mailchannels.net (caracal.birch.relay.mailchannels.net [23.83.209.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D36143A187C for <saag@ietf.org>; Wed, 18 Mar 2020 09:47:30 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 1D86750225E; Wed, 18 Mar 2020 16:47:30 +0000 (UTC)
Received: from pdx1-sub0-mail-a58.g.dreamhost.com (100-96-215-21.trex.outbound.svc.cluster.local [100.96.215.21]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 37CA6502233; Wed, 18 Mar 2020 16:47:29 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a58.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Wed, 18 Mar 2020 16:47:29 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Illustrious-Well-Made: 210b9ff7489e2b63_1584550049548_2975449001
X-MC-Loop-Signature: 1584550049548:2978610861
X-MC-Ingress-Time: 1584550049546
Received: from pdx1-sub0-mail-a58.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a58.g.dreamhost.com (Postfix) with ESMTP id B31DB7F55F; Wed, 18 Mar 2020 09:47:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Hw1nj+2izdnoVe LBtrr2DcE4hvY=; b=aZtil7deOxOKDWZM/HMLHwPiERDsrQmF5kMJQoXQrQG6hy 8JIvSojsMjHnJyEOd+8e245IUdzDb2S2cXaTzB5fgsfDta4inXAUfxm7oK6nfy0o yhOu79D/lMmEFoIEVPv5OwLAQaxQ6OXtt1p0p62D5liHzPM5a2Rv5rRFtdR/U=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a58.g.dreamhost.com (Postfix) with ESMTPSA id 17DFD7F1B7; Wed, 18 Mar 2020 09:47:22 -0700 (PDT)
Date: Wed, 18 Mar 2020 11:47:20 -0500
X-DH-BACKEND: pdx1-sub0-mail-a58
From: Nico Williams <nico@cryptonector.com>
To: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>
Cc: saag@ietf.org, Christopher Wood <caw@heapingbits.net>
Message-ID: <20200318164718.GJ18021@localhost>
References: <7231a98e-e4a2-55c9-3a51-d62886d7d061@htt-consult.com> <F318A864-CC99-47F7-BEFF-608F93AEB451@akamai.com> <6b73afd0-6eda-4533-a499-166934702f6e@www.fastmail.com> <3517.1584548794@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3517.1584548794@eng-mail01.juniper.net>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrudefjedgledtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecuffhomhgrihhnpehpvghrfhgvtghtfhhorhifrghrughsvggtrhgvtgihrdgtohhmnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/0k1HIlUNPAwm3GU72p9xfgZfWiM>
Subject: Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 16:47:33 -0000

On Wed, Mar 18, 2020 at 09:26:34AM -0700, Mark D. Baushke wrote:
>   Menzies, Alfred; van Oorscot, Paul C.; Vanstone, SCOTT (1997).
>   Handbook of Applied Cryptography. CRC Pres. ISBN 978-0-8493-8523-0.
> 
>       In cryptography, forward secrecy (FS), also known as perfect
>       forward secrecy (PFS), is a feature of specific key agreement
>       protocols that gives assurances that session keys will not be
>       compromised even if the private key of the server is compromised.
> 
> There is also https://www.perfectforwardsecrecy.com/ which has a paragraph
> 
>       Forward Secrecy has been used as a synonym for Perfect Forward
>       Secrecy but there is a subtle difference between the two. Perfect
>       Forward Secrecy has the additional property that an agreed key
>       will not be compromised even if agreed keys derived from the same
>       long-term keying material in a subsequent run are compromised.
> 
> along with more justification of differences.

Are there examples in Internet protocols of FS key agreement protocols
that aren't also PFS?  I'm not denying that it's possible to construct an
FS-but-not-PFS key agreement protocols, but I'm wondering whether we
need a name for those when we wouldn't want to have any of them.

Nico
--

v2.23.0 | Report a Bug | By Email