Re: [TLS] bikeshed: Forward Security or Secrecy?

Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 01 December 2015 04:10 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E381A0091 for <tls@ietfa.amsl.com>; Mon, 30 Nov 2015 20:10:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO9q7Quvf9Cb for <tls@ietfa.amsl.com>; Mon, 30 Nov 2015 20:10:13 -0800 (PST)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 200191A1B8C for <tls@ietf.org>; Mon, 30 Nov 2015 20:10:13 -0800 (PST)
Received: by lffu14 with SMTP id u14so224493513lff.1 for <tls@ietf.org>; Mon, 30 Nov 2015 20:10:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=g1o70Wf7IXNCCSef02paXq0c7jKpY3Q6KbNzFVVOivg=; b=z+x5A3NDXtwxqDUKpR1jAiXhFcRqCp/a0V7025p3a5w2OuRyhnkBgOagEBunHPpLlz QTpSDWciqMzV7TUik8yToJnhJXPS3R+rakCqgZRyI/2xO4YTwelj9eJabN056IcOsiY8 YtzpJf5u02h/XZsj2AORUkmEmCKDqBfbKfo2JgafAxfvxQB6dnBqo4yRfygFm5VfoUI2 nfHV00EYWRZ5OHuwj3rDg52KmEV01lcrJ1umMqYT7wvF1l99w87G3ya9GsRa1G1t5vsB DDpaMzPhMn8l6c8r9NM4Nfz1qXuXvJoHGhKCI6GBlfL3pjbrlMvk6y/hDgFJHHeYZ08x b4oQ==
X-Received: by 10.25.88.208 with SMTP id m199mr26385060lfb.157.1448943011196; Mon, 30 Nov 2015 20:10:11 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.168.210 with HTTP; Mon, 30 Nov 2015 20:09:41 -0800 (PST)
In-Reply-To: <201511301627.27616.davemgarrett@gmail.com>
References: <201511301627.27616.davemgarrett@gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 30 Nov 2015 23:09:41 -0500
X-Google-Sender-Auth: kKm9ZlfRD7U29JPZJU13pPAIqhc
Message-ID: <CADi0yUPa6DzOx6rKHFEzE132gBBy+wY+E2QaR-x7jzao6cx6bw@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="001a1141a6347b73470525ce5527"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/A_57Uuq1xdS0OZvLxzf69ccw1jg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] bikeshed: Forward Security or Secrecy?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 04:10:15 -0000

The more common term is "forward secrecy" - indeed, the normal definition
[1] refers specifically to the secrecy of session keys or ephemeral key
material after being deleted. Other elements of security such as
authentication and integrity are irrelevant so "secrecy" seems to be the
more appropriate term. There are other notions in cryptography that use the
term "forward secure", see
http://www.cs.bu.edu/~itkis/pap/forward-secure-survey.pdf.

[1] "the compromise of long-term keys does not compromise past session
keys"

Hugo


On Mon, Nov 30, 2015 at 4:27 PM, Dave Garrett <davemgarrett@gmail.com>
wrote:

> Which do we like better: "Forward Security" or "Forward Secrecy"? The TLS
> 1.3 draft uses both interchangeably. The term is clearly in a state of
> flux, seeing as we've seemingly collectively agreed to drop the word
> "perfect" from the term, already. Personally, I prefer "security" because
> "secrecy" is a less used word, and to "forward secure" something is
> grammatically OK but to "forward secret" something is not. (e.g. the doc
> says 0RTT data is not "forward secure" but "forward secret" isn't really
> the right phrase here) Everything could be rephrased to use either, but I'd
> like to change all our use to just "forward secure" and stick a note
> somewhere on the terminology.
>
>
> Dave
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>