完美前向保密PFS

本文介绍了前向安全性(Forward Security)及完美前向安全性(Perfect Forward Secrecy),这两种概念确保即使长期密钥泄露,过去通信的安全性也能得到保障。讨论了这些特性在不同协议中的应用,如TLS、SSH等,并探讨了它们在现代互联网服务中的重要性。

===========来自网友===========

“前向安全性”应当是叫做“forward security”。该定义最早是由Mihir Bellare和Sara K. Miner在 CRYPTO’99上提出的关于数字签名的性质[1]。
而“perfect forward secrecy”则是由Christoph G. Günther在EUROCRYPT ’89提出的,其最初用于定义会话密钥交换协议的一种安全性[2]。

(Perfect)Forward secrecy的大致意思是:用来产生会话密钥(session key)的长期密钥(long-term key)泄露出去,不会造成之前通讯时使用的会话密钥(session key)的泄露,也就不会暴漏以前的通讯内容。简单的说,当你丢了这个long-term key之后,你以后的行为的安全性无法保证,但是你之前的行为是保证安全的。
之所以Perfect加上括号,是因为这个词蕴含了无条件安全的性质,大部分的forward secrecy方案是无法达到Perfect的。
而forward security的保证的是:敌手获取到了你当前的密钥,但是也无法成功伪造一个过去的签名。

简单的说,这两个概念是用在不同的环境中,但是其意图是一样的:保证密钥丢失之前的消息安全性或签名的不可伪造性。
一般而言,满足Forward secrecy或者forward security的公钥环境下的(签名、密钥交换或加密)方案,其公钥是固定的,而密钥则随着时间进行更新。这个更新过程是单向的,因此也就保证了拿到当前的密钥,是无法恢复出以前的密钥,从而保证了“前向安全”。

与之相对应的还有“后向安全( backward secrecy或security)”的概念,不过这个概念研究的比较少,题主有兴趣可以自行查找该概念。

参考文献:
[1] Bellare, Mihir, and Sara K. Miner. "A forward-secure digital signature scheme." Advances in Cryptology—Crypto’99. Springer Berlin Heidelberg, 1999.
[2] Günther, Christoph G. "An identity-based key-exchange protocol." Advances in Cryptology—Eurocrypt’89. Springer Berlin Heidelberg, 1989.

 

 

===========维基百科===========

中文翻译在这里http://blog.youkuaiyun.com/gufachongyang02/article/details/53392842

Forward secrecy

From Wikipedia, the free encyclopedia
 
 

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of secret keys or passwords. If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.

 

 

History[edit]

The term "perfect forward secrecy" was coined by C. G. Günther in 1990 and further discussed by Whitfield DiffiePaul van Oorschot, and Michael James Wiener in 1992[1] where it was used to describe a property of the Station-to-Station protocol.[2]

Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.[3]

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes (for two-party forward secrecy properties compare below 2WIPFS: "2-Way-Instant-Perfect-Forward-Secrecy").

Forward secrecy[edit]

A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm. This means that the compromise of one message cannot compromise others as well, and there is no one secret value whose acquisition would compromise multiple messages. This is not to be confused with the perfect secrecy demonstrated by one-time pads: when it is used properly, the one-time pad involves multiple parties agreeing on a set of disposable keys by communicating it fully in private—without a formalized key agreement system—and then using each key for one message only.

Attacks[edit]

Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.

Weak perfect forward secrecy[edit]

Weak perfect forward secrecy (wPFS) is the weaker property whereby when agents' long-term keys are compromised, the secrecy of previously established session-keys is guaranteed, but only for sessions in which the adversary did not actively interfere. This new notion, and the distinction between this and forward secrecy was introduced by Hugo Krawczyk in 2005.[4][5] This weaker definition implicitly requires that full (perfect) forward secrecy maintains the secrecy of previously established session keys even in sessions where the adversary did actively interfere, or attempted to act as a man in the middle.

Protocols[edit]

Forward secrecy is present in several major protocol implementations, such as SSH and as an optional feature in IPsec (RFC 2412). Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, provides forward secrecy as well as deniable encryption.

In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSA) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available. In theory, TLS can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer forward secrecy or only provide it with very low encryption grade.[6]

OpenSSL supports forward secrecy using elliptic curve Diffie–Hellman since version 1.0,[7] with a computational overhead of approximately 15%.[8]

The Signal Protocol uses the Double Ratchet Algorithm to provide forward secrecy.[9] The protocol was developed by Open Whisper Systems in 2013[10] and was first introduced in theSignal app in February 2014.[11] It has since been implemented into WhatsAppFacebook Messenger, and Google Allo, encrypting the conversations of "more than a billion people worldwide".[12]

On the other hand, among popular protocols currently in use, WPA doesn't support forward secrecy.

Use[edit]

Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services.[7] Since November 2013, Twitter provided forward secrecy with TLS to its users.[13] Wikis hosted by theWikimedia Foundation have all provided forward secrecy to users since July 2014.[14]

Facebook reported as part of an investigation into email encryption that, as of May 2014, 74% of hosts that support STARTTLS also provide Forward Secrecy.[15] As of June 2016, 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.[16]

At WWDC 2016, Apple announced that all iOS apps would need to use "ATS" (App Transport Security), a feature which enforces the use of HTTPS transmission. Specifically, ATS requires the use of an encryption cipher that provides forward secrecy.[17] ATS became mandatory for apps on Jan 1st, 2017.[18]

See also[edit]

References[edit]

  1.  Menzies, Alfred; van Oorscot, Paul C.; Vanstone, SCOTT (1997). Handbook of Applied Cryptography. CRC Pres.ISBN 0-8493-8523-7.
  2.  Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges" (PDF). Designs, Codes and Cryptography2(2): 107–125. doi:10.1007/BF00124891. Retrieved2013-09-07.
  3.  Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review26 (5): 5–26.CiteSeerX 10.1.1.81.2594Freely accessible.doi:10.1145/242896.242897.
  4.  Krawczyk, Hugo (2005). HMQV: A High-Performance Secure Diffie-Hellman Protocol. Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. 3621. pp. 546–566. ISBN 978-3-540-28114-6.doi:10.1007/11535218_33.
  5.  Cremers, Cas; Feltz, Michèle (2015). "Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal" (PDF). Designs, Codes and Cryptography. Springer US. 74 (1): 183–218.doi:10.1007/s10623-013-9852-1. Retrieved 8 December2015.
  6.  Discussion on the TLS mailing list in October 2007
  7. a b "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05.
  8.  Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05.
  9. Unger, Nik; Dechand, Sergej; Bonneau, Joseph; Fahl, Sascha; Perl, Henning; Goldberg, Ian; Smith, Matthew (17–21 May 2015). "SoK: Secure Messaging" (PDF). 2015 IEEE Symposium on Security and Privacy. San Jose, CA: Institute of Electrical and Electronics Engineers: 241.doi:10.1109/SP.2015.22. Retrieved 4 December 2015.
  10.  Ermoshina, Ksenia; Musiani, Francesca; Halpin, Harry (September 2016). "End-to-End Encrypted Messaging Protocols: An Overview". In Bagnoli, Franco; et al.Internet Science. INSCI 2016. Florence, Italy: Springer. pp. 244–254. ISBN 978-3-319-45982-0doi:10.1007/978-3-319-45982-0_22.
  11. Donohue, Brian (24 February 2014). "TextSecure Sheds SMS in Latest Version"Threatpost. Retrieved 14 July2016.
  12.  "Moxie Marlinspike - 40 under 40"Fortune. Time Inc. 2016. Retrieved 22 September 2016.
  13.  Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter".Twitter. Twitter. Retrieved 25 November 2013.
  14.  "Tech/News/2014/27 - Meta"Wikimedia Foundation. 2014-06-30. Retrieved 30 June 2014.
  15.  "The Current State of SMTP STARTTLS Deployment". Retrieved 7 June 2014.
  16.  As of June 2, 2016. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2016-06-17.
  17. https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14
  18.  "App Transport Security REQUIRED January 2017 | Apple Developer Forums"forums.developer.apple.com. Retrieved 2016-10-20.

External links[edit]

转载于:https://www.cnblogs.com/justinh/p/7478943.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值