Perfect forward secrecy

In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.

Forward secrecy has been used as a synonym for perfect forward secrecy [IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://grouper.ieee.org/groups/1363/] , since the term "perfect" has been controversial in this context. However, at least one reference [Telecom Glossary 2000, T1 523-2001, Alliance for Telecommunications Industry Solutions (ATIS) Committee T1A1. http://www.atis.org/tg2k/_perfect_forward_secrecy.html] distinguishes "perfect forward secrecy" from "forward secrecy" with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.

History

"PFS" was originally introduced [cite journal
first = Whitfield
last = Diffie | coauthors = Oorschot, Paul C.; Wiener, Michael J.
title = Authentication and Authenticated Key Exchanges
issue = 2
journal = Designs, Codes and Cryptography
volumes = 2pages = 107-125 | year = 1992
month = June
doi = 10.1007/BF00124891
url = http://citeseer.ist.psu.edu/diffie92authentication.html
accessdate = 2008-02-11
volume = 2
pages = 107 ] by Diffie, van Oorschot, and Wiener and used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys. PFS requires the use of public key cryptography, and cannot be achieved with symmetric cryptography alone.

"PFS" has also been used [cite journal
first = David P.
last = Jablon
title = Strong Password-Only Authenticated Key Exchange
journal = ACM Computer Communication Review
volume = 26
issue = 5
pages = 5–26
month = October
year = 1996
url = http://citeseer.ist.psu.edu/jablon96strong.html
accessdate = 2008-02-11
doi = 10.1145/242896.242897 ] to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes.

ee also

* Diffie-Hellman key exchange is a cryptographic protocol that provides perfect forward secrecy.

Protocols

*PFS is an optional feature in IPsec (RFC 2412).
*SSH.
*Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, providing perfect forward secrecy as well as deniable encryption.
*In theory, Transport Layer Security can choose appropriate ciphers since SSLv3, but in everyday practice many implementations refuse to offer PFS or only provide it with very low encryption grade. [ [http://www1.ietf.org/mail-archive/web/tls/current/msg02134.html Discussion on the TLS mailing list in October 2007] ]

Notes

References

# H. Orman. The OAKLEY Key Determination Protocol. IETF RFC 2412.