IETF Logo Mail Archive

Re: [saag] Perfect Forward Secrecy vs Forward Secrecy

Eric Rescorla <ekr@rtfm.com> Wed, 18 March 2020 17:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 607A93A18F2 for <saag@ietfa.amsl.com>; Wed, 18 Mar 2020 10:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfzqlBRZ3Gs4 for <saag@ietfa.amsl.com>; Wed, 18 Mar 2020 10:18:14 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1DCD3A0872 for <saag@ietf.org>; Wed, 18 Mar 2020 10:18:13 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id g12so27991577ljj.3 for <saag@ietf.org>; Wed, 18 Mar 2020 10:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xQv9AnvPp5IGut8vpJdoR2FKD46B9hh8ZtnFfmynEwM=; b=i1N4WAzCHU7imB1y/HEZPJnRtXrYvqPUA9wIrP8mc4RuhueVy49YXjskxl5Egt7WEt 1fK1YBpnI7OUEgqC4YwbMG8nRk8HFoPDWLrpiHp0a2xMJwj3t/ozlDm/x//s6iy+e9KL cqAKz+UAap+I58iRZ+L+XjKoZLAo3GIVN9D9KX0iFR+YaiL7v/s3KYS/pIfmszR9B72b m3ErkLJ/TJ7lypdmC050YXbnev0BJrLMYiT2n6g7WFZ3yc16e/joZu2QbdAfsqe0i8N4 3CoiOJZ5ar1G5xglC7FINQ8ZifoUm7csr11OEvePkyQTvEoZ+BGqXWlr0+vJL/f+aGbn 00SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xQv9AnvPp5IGut8vpJdoR2FKD46B9hh8ZtnFfmynEwM=; b=t1mwS+IxizMTjA4cNU8SqWaRL3UdqjZluEmonXoftbt2k0ptupfGVF8OXcLFR0IlYS l7YTd36bfLywtps52FSEF7GNDprLGjW3cMM94eEogXSfBi/pBjF4kg4pEnZG5EtkZgxX EwClk0TbQNqR0mwikglpKVu+mqr86ZScMpYjvPO0oGMaQ2LX4+1Serpq0d/x4zMlDWk6 Q5HozdldqCk9HYS/K4ShI3xdspEsU2sMOdenLHQce5iBHs6XeXAws8z6pJEsp21cs252 IBnEw9pik9rhsHgM4yKScKSO35uVgbzDF5TvL344bx0U6uVhC4zRyLIgrs4Ung9BVNN2 fXeg==
X-Gm-Message-State: ANhLgQ25o+baHFNwe7tPSFZsMEUNr5AhXqhFkXDO9MqRf0gi5PWzwcSw LfQFt9LInHqiwFPEZbiMsgfEpXBGRgmsjjRlS5dR8crBx5Jlhg==
X-Google-Smtp-Source: ADFU+vvnGC/PwWo4AzaMBA1C4oIhYgFBJFtBx8OaMAdXkWl8/Fryu7U/V+/FcBa+m2d979VH+17P4BaCtBzFHu1ipgY=
X-Received: by 2002:a2e:908f:: with SMTP id l15mr2879998ljg.120.1584551892042; Wed, 18 Mar 2020 10:18:12 -0700 (PDT)
MIME-Version: 1.0
References: <7231a98e-e4a2-55c9-3a51-d62886d7d061@htt-consult.com> <F318A864-CC99-47F7-BEFF-608F93AEB451@akamai.com> <6b73afd0-6eda-4533-a499-166934702f6e@www.fastmail.com> <3517.1584548794@eng-mail01.juniper.net> <20200318164718.GJ18021@localhost>
In-Reply-To: <20200318164718.GJ18021@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 18 Mar 2020 10:17:35 -0700
Message-ID: <CABcZeBPU3HEBAFwPi4bF7VRMxyYZZsJWoTktgB+NouWww8GRTQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>, saag@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a75f0d05a1243c71"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Il8BNTiKwuPYxoHxeJgxRDY0KO4>
Subject: Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 17:18:17 -0000

On Wed, Mar 18, 2020 at 9:47 AM Nico Williams <nico@cryptonector.com> wrote:

> On Wed, Mar 18, 2020 at 09:26:34AM -0700, Mark D. Baushke wrote:
> >   Menzies, Alfred; van Oorscot, Paul C.; Vanstone, SCOTT (1997).
> >   Handbook of Applied Cryptography. CRC Pres. ISBN 978-0-8493-8523-0.
> >
> >       In cryptography, forward secrecy (FS), also known as perfect
> >       forward secrecy (PFS), is a feature of specific key agreement
> >       protocols that gives assurances that session keys will not be
> >       compromised even if the private key of the server is compromised.
> >
> > There is also https://www.perfectforwardsecrecy.com/ which has a
> paragraph
> >
> >       Forward Secrecy has been used as a synonym for Perfect Forward
> >       Secrecy but there is a subtle difference between the two. Perfect
> >       Forward Secrecy has the additional property that an agreed key
> >       will not be compromised even if agreed keys derived from the same
> >       long-term keying material in a subsequent run are compromised.
> >
> > along with more justification of differences.
>
> Are there examples in Internet protocols of FS key agreement protocols
> that aren't also PFS?  I'm not denying that it's possible to construct an
> FS-but-not-PFS key agreement protocols, but I'm wondering whether we
> need a name for those when we wouldn't want to have any of them.
>

I've honestly never seen this particular distinction of FS vs. PFS drawn
and I'm not quite sure it's that useful.

Consider the case of a typical SIGMA-based AKE like TLS. The handshake
protocol typically spits out one piece of shared entropy (e.g., the TLS 1.2
master secret) which is then key expanded into multiple working (traffic)
keys. Assuming a strong KDF, then generally working key A cannot be used to
derive working key B. However, the MS can be used to derive A or B. So is
this PFS or just FS? Depends on where you draw the line for "agreed key",
right?

To make things more complicated, when you have a protocol that offers
resumption (as with TLS) you have to be able to talk about the FS
properties of resumed data, which may be different from those of the rest
of the data. As a concrete example:

- In TLS 1.2, you need to store the MS as long as you want resumption,
which means that compromise of the session database at time T2 also
compromises stored sessions from time T1 < T.
- In TLS 1.3, the resumption master secret is different from the MS, so
compromise at T2 doesn't compromise T1 if you use a session database and
delete promptly. However if you use session tickets, then the STK threatens
PFS. So in this case, it's not even a property of the AKE.

ISTM that using "perfect" or not doesn't convey enough info and we should
instead talk about protocols being forward secure with respect to certain
attacks (as is the case in MLS). See for instance:
https://tools.ietf.org/rfcmarkup?doc=8446#section-8.1


-Ekr

v2.23.0 | Report a Bug | By Email