IETF Logo Mail Archive

Re: [saag] Perfect Forward Secrecy vs Forward Secrecy

Nico Williams <nico@cryptonector.com> Wed, 18 March 2020 19:31 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9323E3A1AA9 for <saag@ietfa.amsl.com>; Wed, 18 Mar 2020 12:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QXOowav2h4Hq for <saag@ietfa.amsl.com>; Wed, 18 Mar 2020 12:31:17 -0700 (PDT)
Received: from black.elm.relay.mailchannels.net (black.elm.relay.mailchannels.net [23.83.212.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07CD63A1AA4 for <saag@ietf.org>; Wed, 18 Mar 2020 12:31:16 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id BD14D21EBC; Wed, 18 Mar 2020 19:31:15 +0000 (UTC)
Received: from pdx1-sub0-mail-a58.g.dreamhost.com (100-96-215-21.trex.outbound.svc.cluster.local [100.96.215.21]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BFEC821E45; Wed, 18 Mar 2020 19:31:14 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a58.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Wed, 18 Mar 2020 19:31:15 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Scare-Invention: 387676ad2e33cffe_1584559875426_2443504614
X-MC-Loop-Signature: 1584559875425:1220657887
X-MC-Ingress-Time: 1584559875425
Received: from pdx1-sub0-mail-a58.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a58.g.dreamhost.com (Postfix) with ESMTP id 2A62880524; Wed, 18 Mar 2020 12:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=e8ckrBCGYQ/4u2 5FA9yz2Gi/tEI=; b=ds2Xa1gNqwwhVHhYS1q5cSRfgwFcxALcPOHm2FKkHCvQH7 hgp3fqt61rXZ73UqB0E0mu3E/RBcV1gaqSqpba4gIdbJo5bUuxUe9jfyz+16jsdl TonG4zGsIOB35gZchawkNbMTAXygCtpw7BvlhjTwxX1rEMo6h1/W5PBF2IC2k=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a58.g.dreamhost.com (Postfix) with ESMTPSA id 3F077802A7; Wed, 18 Mar 2020 12:31:07 -0700 (PDT)
Date: Wed, 18 Mar 2020 14:31:04 -0500
X-DH-BACKEND: pdx1-sub0-mail-a58
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>, saag@ietf.org
Message-ID: <20200318193103.GK18021@localhost>
References: <7231a98e-e4a2-55c9-3a51-d62886d7d061@htt-consult.com> <F318A864-CC99-47F7-BEFF-608F93AEB451@akamai.com> <6b73afd0-6eda-4533-a499-166934702f6e@www.fastmail.com> <3517.1584548794@eng-mail01.juniper.net> <20200318164718.GJ18021@localhost> <CABcZeBPU3HEBAFwPi4bF7VRMxyYZZsJWoTktgB+NouWww8GRTQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABcZeBPU3HEBAFwPi4bF7VRMxyYZZsJWoTktgB+NouWww8GRTQ@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: =?utf-8?q?gggruggvucftvghtrhhoucdtuddrgedugedrudefjedgud?= =?utf-8?q?dukecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshg?= =?utf-8?q?trhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunecu?= =?utf-8?q?jfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhit?= =?utf-8?q?ghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtoh?= =?utf-8?q?hmqeenucffohhmrghinhepphgvrhhfvggtthhfohhrfigrrhgushgvtghrvggthid?= =?utf-8?q?rtghomhdpihgvthhfrdhorhhgnecukfhppedvgedrvdekrddutdekrddukeefnecu?= =?utf-8?q?vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhv?= =?utf-8?q?ghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpd?= =?utf-8?q?hrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghoseg?= =?utf-8?q?trhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegt?= =?utf-8?q?rhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihp?= =?utf-8?q?hhtohhnvggtthhorhdrtghomh?=
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/YJmPMwR_bRcYsjr5e80iDEUfhnU>
Subject: Re: [saag] Perfect Forward Secrecy vs Forward Secrecy
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 19:31:19 -0000

On Wed, Mar 18, 2020 at 10:17:35AM -0700, Eric Rescorla wrote:
> On Wed, Mar 18, 2020 at 9:47 AM Nico Williams <nico@cryptonector.com> wrote:
> > On Wed, Mar 18, 2020 at 09:26:34AM -0700, Mark D. Baushke wrote:
> > > There is also https://www.perfectforwardsecrecy.com/ which has a
> > > paragraph
> > >
> > >       Forward Secrecy has been used as a synonym for Perfect Forward
> > >       Secrecy but there is a subtle difference between the two. Perfect
> > >       Forward Secrecy has the additional property that an agreed key
> > >       will not be compromised even if agreed keys derived from the same
> > >       long-term keying material in a subsequent run are compromised.
> >
> > Are there examples in Internet protocols of FS key agreement protocols
> > that aren't also PFS?  I'm not denying that it's possible to construct an
> > FS-but-not-PFS key agreement protocols, but I'm wondering whether we
> > need a name for those when we wouldn't want to have any of them.
> 
> I've honestly never seen this particular distinction of FS vs. PFS drawn
> and I'm not quite sure it's that useful.

+1.  Calling this just FS and not PFS is fine with me, even if fear of
misunderstanding "perfect" strikes anyone as silly.

> Consider the case of a typical SIGMA-based AKE like TLS. The handshake
> protocol typically spits out one piece of shared entropy (e.g., the TLS 1.2
> master secret) which is then key expanded into multiple working (traffic)
> keys. Assuming a strong KDF, then generally working key A cannot be used to
> derive working key B. However, the MS can be used to derive A or B. So is
> this PFS or just FS? Depends on where you draw the line for "agreed key",
> right?

+1

> ISTM that using "perfect" or not doesn't convey enough info and we should
> instead talk about protocols being forward secure with respect to certain
> attacks (as is the case in MLS). See for instance:
> https://tools.ietf.org/rfcmarkup?doc=8446#section-8.1

+1.

v2.8.7 | Report a Bug | By Email