Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
John Mattsson <john.mattsson@ericsson.com> Thu, 11 November 2021 19:26 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E326D3A0BDE for <saag@ietfa.amsl.com>; Thu, 11 Nov 2021 11:26:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cOSu4LBHo_tB for <saag@ietfa.amsl.com>; Thu, 11 Nov 2021 11:26:37 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80083.outbound.protection.outlook.com [40.107.8.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 658EA3A0BD6 for <saag@ietf.org>; Thu, 11 Nov 2021 11:26:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=myL0ymP+jdo+KtBumsxbVlZS8T0bDYhjdEHuh0hynAwoj6QgInAkbzAIOicUyMq5sSJBg9iG5pA9fXpph3CtcqFPWtfSTmA27qIVfQxwHM67XyGf5brse7gnei4cA4wlKkEd4gRtbbEzvVqoGBFoDOOTTygR9pTrmVRtT4meLqhZPRtjEirDOtimFoNJy6Vhn/SBWA+xwRJecv+5eQpReU6neQLbOvSU025qoRR8fzSQGFKM57jpajRWGzbboc5GpYgNB3H/dEpqGBj9h84lRtCVs2yOEqK8C9lgZ/YuxytfbPVWTSF1cBBhmJ9ofzyvYPhxWhcdng/3SNwLKBWI1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ut8LEGKUR5clKH6fRtXVYd2TVTCqhIhqOCYRoMGz01g=; b=Ic3PfPEvVYMEK/DBVInL6fJVeuFvYNvEbchmK3FMcFPcl/NLXpkEv19V7CqvpjwOYQLzegfdrKXmGsSKt451easXxu7dw3R6cWGV6vQlGrWMwdk7/xJPG+xIwVpxGcdZTIZFF1uY7y5l5ClCfSNkWTwNnEu6SPaTbK7mwX53FrxbS81mi6Qvpt8qIjkyRffCvqmLOpfVBx7z670op4RPzfkVSJqXvlXIydsTABu9P0WOU6XTf93yARPVE3mgXm+Z8RnzTgirUqJldRpMYR31iqJzHkxIPjN/ScLfXkodUf3KmlVk0bEKUU/9m0+iRos5hTfIB9UyQB33GBk1YRZ9ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ut8LEGKUR5clKH6fRtXVYd2TVTCqhIhqOCYRoMGz01g=; b=dLlwZjhINjsiXoteZDQzAkJlkCECHj/zGfeQLozI18KmBQlCMJuJR2N5acQwq4HWDC6vVNzsF6Vs5LYuj0XeYqoUpG/W7G+BJjxOrW7msyRjIc7ZjH/Lmyu8R5ygZ+S5pmYMCWXpGfVUq9wNjy7CZFseSA++TP3VSUdbBH8bmoo=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2204.eurprd07.prod.outlook.com (2603:10a6:3:2c::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.8; Thu, 11 Nov 2021 19:26:34 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::acd7:51e8:bdfe:c133]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::acd7:51e8:bdfe:c133%7]) with mapi id 15.20.4690.022; Thu, 11 Nov 2021 19:26:34 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, Benjamin Kaduk <kaduk@mit.edu>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Perfect Forward Secrecy vs Forward Secrecy
Thread-Index: AQHV/TKso06RfdooQkCEChEDnwyrYahOjM+AgAbbCwCAARbGAIOr6ek1
Date: Thu, 11 Nov 2021 19:26:33 +0000
Message-ID: <HE1PR0701MB3050B68DC4D7481382DCC4EA89949@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <7231a98e-e4a2-55c9-3a51-d62886d7d061@htt-consult.com> <BAFBB844-0AB4-41A5-9A15-B9CED6F6602C@icloud.com> <20200323011940.GI50174@kduck.mit.edu> <117849db-3b7a-d0ec-ccf7-7315e935a13b@htt-consult.com>
In-Reply-To: <117849db-3b7a-d0ec-ccf7-7315e935a13b@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 14b26e12-cc8e-43c5-5040-08d9a5492c16
x-ms-traffictypediagnostic: HE1PR0701MB2204:
x-microsoft-antispam-prvs: <HE1PR0701MB2204F88D9273D7E39046A27289949@HE1PR0701MB2204.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7Dk+ymnZGDaWwXWosy9s9GCCSuOpyhQk6p9ntmi4PE8+b8OI7OnjGkSQiEx1+G47ASDxWHggwnbYvdknPAVTiLPtkcBYTVbuVnUZ+0pIO3fwq8cvvfuHgoqDNS7iBReGEmQKPdgWkDeVZI6J6s2xKMMCt43J/nA5ehbmzxaDrY+ig+ye3ERQj/PKunfYJIckDsLxB1QL0vA1KbgHUnYNp7XsnxekeeUdPBdLkDHvItOFxaRMDIprr2GVJs9eJkeJzel5o36juLtGZssQFzY4o2X5wvLbGtVIWAZijX+xt1wkJkLB0zNggztNkvym6CdCw5UHGyxWNjXqmK9NY5qI1SbmyZduC/0Q12svLD87Ul13cniMTbTLqRjbyCgUHM1XuvODtv35UtOwdahrtTHSp+SUv4z8YMqEygHJpOuVUst3zZmQIAHXz4zLc8NmIOCaxwh/E9kjM6UFtkbJWmNLQCEte5EcoiloFaLOC8NzuufFOzuoeUhRrcIH/Dgq0W3QGRaBaKBNnWsQ4Zsn8KytLpPB63OSG17AP/J+BPOCd/fIi0X4Ciengv7HaH71ieuVNFdkfqVmKooXUU7rpp4a6Mt+TgFY2W59mz406Ibtk2aoz0sF+1tZeSUC24rP+AeJ14oc5WeMqSDqzIgzpZQFC7PAzmxAM6zTFSjU/kT9r/dhPRFi6beYfLScYyV0n0AZD646w6ICfiMZFBfIHw6hk92VZVpCQ5/yslkYf/UKjSp3qTQS5vVqYIT5x9n32z8mynUXa5sSNCcYAxvMxexM3QaPMKHGRiPHsaJLpLQyO76UO7cEjd5gdySN4S5LQik5
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(53546011)(186003)(66476007)(33656002)(66556008)(26005)(8936002)(66446008)(8676002)(38070700005)(82960400001)(64756008)(44832011)(6506007)(91956017)(55016002)(2906002)(316002)(110136005)(508600001)(9686003)(86362001)(76116006)(52536014)(166002)(38100700002)(7696005)(71200400001)(66946007)(5660300002)(83380400001)(966005)(122000001)(554374003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QVRQefhZXjZemriiQst/o2m1DQ0QtnkazIPh6lwgFZpO6pTHVTS6+TFhSdCBBgjVAnFi1flS6vVDC8CGGAf4wSVICDV+mp5wHU3D5FMn5CeeOsdyt/bMH1e+6IJjXbl9oRmlI6IAxLBaf8RUDoC2/3gbjAfomr67KlH8b2fQjVW/aAMXPPBPQ+Bn1MmneCt5u72Swip/5Ooetyf/YmbCHVdvfLRa36ZXMhacomLh7Fk7v0urV2NWE3D26tQNtBrXLwpLcun5j2Sbm2xUxAd6vsPJYC5xgoOUVNYXoaVWI4TINfB9P8d1b2rvEssFrPyiXSIKQJSWelPUAm+SvmDgAebeZBbWjI2rs0EKOPweM1epMN/e/JFzT3cd3az/XdYvEhPAzZmofTrRZykE/Ne5JU/U+3pGRrllWlQ9pqV0N4Ph196E/kO5O+FA1VzQnA6RTEg4ofNqkaNj18YwRGaIhmXtv2+uGk529Av01J/Rb/kniS2ExvgZkgMYa8rcwelJ1LEm6EsWX6p8iOG4iirFhnjirvufrGH/dDp2qz671QT1uLpu2Jefk4zurNsqM3ZQJUrR0Ici+PZi6bCFxsp1VmLx58BGIL3glpi1ZZ4k1l3cFuT6vfg6mjW7ToMwmJdlalJHZinRcPjOzIhjLbZ7O0IvwyQo8u/tEF2jibXtX8gPIrj1CpXK89MajiRzi1pifSE3iXBuXvso/bOSsrULGzLO8uKHkgDb9tC5TcFOMmfRvi46kS+31ev07+OjFyfU9Srh+hQY1xIEpVQd4nDfrNSTkYJZ/5H6mDsucpEM+lZFwDOGaQjWiPSHV5op2fgwCM8Yp1d+0JFPgrD0nRZ82dJOF3+a4tfHh90uwRQFuKOA7unWHU3I7FNxa3cg8V9dSj3KApyqpmc0ZinfYhgmaGZWFDEWRsirmPltOx8lUMUxdcUjZ9gn3hxK0SPUA6+jOT2Dnj/kv5zmP8B3iv5QNzEMXvz0gLzdaPCY7KsQyAKdqpLL998iSPuNhjPdoavWnZg6RtlfcJD1WcCmw8nul0fn753e/da8hmCvjHhtvzoCWb9y19BFh5cpJavmciBLmKxKL9qPegC9+nfUgGVq/abMPxn1jC7cukiPiEllclKQQaG212Kr2XtzfygO72OF3EjubiZpvF0j1+FqjObaCAVpYG1jurvbtgSUR5ny8ykOxFggHp5WBemI/8rHefvBfn3KGsHEsr6Tux9RpDuQCjwGtMchOaBMWBqO4iPSdU7bIn6M6q6TQXrY/+AX1E58vccZb25pdACSLOXFC3s/rCCWIFkY9PnUX/PFJ7tnaYGRJwiq6dm9DSSeGhk4+Otzep93S9xO34CHoNtwyzp1u14Xp6ZJeeqGXL4QKXdo18va4RK5Aq4aMsc5H73dkMAgsY6YiAXaJTj9xPHlT9D9Ll/T16qfJD97gO3xeTeW/jkHJDzCsjj8QqqHamVgnPA/qExFPuXbpkpXHliDe5nVUgd2fqwvACxj4eW3IJq8zBl+lkJQuL2oZQanIA2nvnw3dGTdHLtVCCTMxoNOHgb4Xl33IFm92TdoZFGa693X0kph5Hmjh6XdA7H4ohXPzaSykypRuOz6yzggC2AiQl2Jo/IwEbO/EniMnOcHMCoDUM1RPRfkBmb912EynRozvzlrsMzsa2SDn8JmXwlYJpi61k/l68a2Lu/ZAOf0pz/veyM=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050B68DC4D7481382DCC4EA89949HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 14b26e12-cc8e-43c5-5040-08d9a5492c16
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2021 19:26:33.7312 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4fyMHDvQkDUnUhTh7Xm4I+z3bM2i+vKvMvJzTbMaRcPxXKlrESyEiehO8yPJatexhwN62JpYyWgQe2eTA9HnS0MEc9oCoFicXtPzapRYL9k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2204
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6ImeENhteXGdLsnaJHRoN6LW1zk>
Subject: Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2021 19:26:43 -0000
Hi,
I see that I am six months late to this discussion.
I agree that it is good to stop using the term PFS. PFS have been used in so many different meanings that you basically need to define the term if you want to use it. The term "forward secrecy" is less muddled.
But as PFS has been used to mean so many different things, I think it is problematic and dangerous to just say that we shall now use the term "forward secrecy" instead of PFS.
Examples from the discussion in RFC 4949:
"given some of the session keys derived from those protocol
runs, you cannot derive unknown past session keys or future
session keys."
"There also is the idea that compromise of a single key will
compromise only the data protected by the single key."
PFS is quite often used to mean frequently rerunning Diffie-Hellman:
NIST SP 800-77r1 (2020):
"Perfect Forward Secrecy (PFS). IPsec endpoints create session
keys that are changed frequently, typically once an hour."
ANSSI DAT-NT-003-EN (2015):
"It is recommended to force the periodic renewal of the keys,
e.g. every hour and every 100 GB of data, in order to limit the
impact of a key compromise.
The property "forward secrecy" does not imply that an attacker has to do "dynamic key exfiltration" [RFC 7624]. If symmetric cryptography is used to achieve "forward secrecy" an attacker can still do "static key exfiltration" [RFC 7624].
Frequently rerunning Diffie-Hellman forces an attacker to do "dynamic key exfiltration" (or content exfiltration). Every protocol does not need to enforce "dynamic key exfiltration" by itself but I think most systems should, unless they are constrained IoT where rerunning Diffie-Hellman every few hours is not realistic.
It is sad to see that RFC 7624 has so few citations. I think it is an excellent and very useful document, especially the discussion and definition of various types of key exfiltration. I think most work in the security area should consider if an attacker can get away with static key exfiltration and if it is possible to add mechanisms or guidance to force attackers to do dynamic key exfiltration.
Cheers,
John
From: saag <saag-bounces@ietf.org> on behalf of Robert Moskowitz <rgm-sec@htt-consult.com>
Date: Monday, 23 March 2020 at 19:01
To: Benjamin Kaduk <kaduk@mit.edu>, saag@ietf.org <saag@ietf.org>
Subject: Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
On 3/22/20 9:19 PM, Benjamin Kaduk wrote:
> On Wed, Mar 18, 2020 at 09:38:07AM -0700, Jon Callas wrote:
>> We don't do "perfect" security in our fundamentals, because, as the unnamed AD said, it's hard to achieve.
> For what little it's worth, the AD doesn't have to be unnamed; I'm happy to
> own up to making the request of Bob. I just haven't gotten fully caught up
> on mail yet.
And draft 17 reflects this view of Forward Secrecy.
Thanks, Ben.
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
- [saag] Perfect Forward Secrecy vs Forward Secrecy Robert Moskowitz
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Salz, Rich
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Robert Moskowitz
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Christopher Wood
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Salz, Rich
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Dan Brown
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Mark D. Baushke
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Jon Callas
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Eric Rescorla
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Christopher Wood
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Hao, Feng
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Eric Rescorla
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Nico Williams
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Dan Brown
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Benjamin Kaduk
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… Robert Moskowitz
- Re: [saag] Perfect Forward Secrecy vs Forward Sec… John Mattsson