Forward secrecy

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys do not compromise past session keys . Forward secrecy protects past sessions against future compromises of secret keys or passwords.If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered, for example via a man-in-the-middle attack.

The following is a hypothetical example of a simple instant messaging protocol that employs forward secrecy:

  1. Alice and Bob each generate a pair of long-term, asymmetric public and private keys, then verify public-key fingerprints in person or over an already-authenticated channel. The only thing these keys will be used for is authentication, including signing messages and signing things during session key exchange. These keys will not be used for encryption of any kind.
  2. Alice and Bob use a key exchange algorithm such as Diffie–Hellman, to securely agree on an ephemeral session key. They use the keys from step 1 only to authenticate one another during this process.
  3. Alice sends Bob a message, encrypting it with a symmetric cipher using the session key negotiated in step 2.
  4. Bob decrypts Alice‘s message using the key negotiated in step 2.
  5. The process repeats for each new message sent, starting from step 2 (and switching Alice and Bob‘s roles as sender/receiver as appropriate). Step 1 is never repeated.

Forward secrecy (achieved by generating new session keys for each message) ensures that past communications cannot be decrypted if one of the keys generated in an iteration of step 2 is compromised, since such a key is only used to encrypt a single message. Forward secrecy also ensures that past communications cannot be decrypted if the long-term private keys from step 1 are compromised, however, masquerading as Alice or Bob would be possible going forward if this occurred, possibly compromising all future messages.

Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.

Weak perfect forward secrecy (wPFS) is the weaker property whereby when agents‘ long-term keys are compromised, the secrecy of previously established session-keys is guaranteed, but only for sessions in which the adversary did not actively interfere. This new notion, and the distinction between this and forward secrecy was introduced by Hugo Krawczyk in 2005. This weaker definition implicitly requires that full (perfect) forward secrecy maintains the secrecy of previously established session keys even in sessions where the adversary did actively interfere, or attempted to act as a man in the middle.

Forward secrecy is present in several major protocol implementations, such as SSH and as an optional feature in IPsec (RFC 2412). Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, provides forward secrecy as well as deniable encryption.

In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSA) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available. In theory, TLS can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer forward secrecy or only provide it with very low encryption grade.[8]

OpenSSL supports forward secrecy using elliptic curve Diffie–Hellman since version 1.0,[9] with a computational overhead of approximately 15%.[10]

The Signal Protocol uses the Double Ratchet Algorithm to provide forward secrecy.[11]

On the other hand, among popular protocols currently in use, WPA doesn‘t support forward secrecy.

Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services.[9] Since November 2013, Twitter provided forward secrecy with TLS to its users.[12] Wikis hosted by the Wikimedia Foundation have all provided forward secrecy to users since July 2014.[13]

Facebook reported as part of an investigation into email encryption that, as of May 2014, 74% of hosts that support STARTTLS also provide Forward Secrecy.[14] As of June 2016, 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.[15]

At WWDC 2016, Apple announced that all iOS apps would need to use "ATS" (App Transport Security), a feature which enforces the use of HTTPS transmission. Specifically, ATS requires the use of an encryption cipher that provides forward secrecy.[16]ATS became mandatory for apps on Jan 1st, 2017.[17]

原文地址:https://www.cnblogs.com/sddai/p/8542037.html

时间: 2024-08-30 02:52:08

Forward secrecy的相关文章

著名ERP厂商的SSO单点登录解决方案介绍一

      SSO英文全称Single Sign On,单点登录.SSO是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统.它包括可以将这次主要的登录映射到其他应用中用于同一个用户的登录的机制.认证系统的主要功能是将用户的登录信息和用户信息库相比较,对用户进行登录认证:认证成功后,认证系统应该生成统一的认证标志(ticket),返还给用户.它是比较流行的企业业务整合的解决方案之一.       企业应用集成(EAI, Enterprise Application Integr

如何使用ATS提高应用的安全性

App Transport Security,简短的说就是ATS,是iOS9和OS X El Capitan的一个新特性.App Transport Security 的目标是提高Apple 操作系统的安全性以及在此操作系统上运行的任何应用的安全性. 基于HTTP传输数据的网络请求都是明文.开启App Transport Security后,网络传输自动通过HTTPS传输而不是HTTP. App Transport Security要求TLS (Transport Layer Security)

Xcode7 创建HTTP请求报错

最近在Xcode 7中向服务器发送请求访问JSON数据时, 控制台打印了以下错误信息: Application Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file. *** Terminating app due to un

iOS安全笔记

这一篇文章, 加上里面链接的几篇文章(一个百度的, 两个阮一峰的), 全看完应该了解得差不多了 如何打造一个安全的App?这是每一个移动开发者必须面对的问题.在移动App开发领域,开发工程师对于安全方面的考虑普遍比较欠缺,而由于iOS平台的封闭性,遭遇到的安全问题相比于Android来说要少得多,这就导致了许多iOS开发人员对于安全性方面没有太多的深入,但对于一个合格的软件开发者来说,安全知识是必备知识之一. 对于未越狱的iOS设备来说,由于强大的沙箱和授权机制,以及Apple自己掌控的App

OPENVPN搭建与配置

Content-type: text/html; charset=UTF-8 openvpn Section: Maintenance Commands (8)Updated: 17 November 2008Index Return to Main Contents NAME openvpn - secure IP tunnel daemon. SYNOPSIS openvpn [ options ... ] INTRODUCTION OpenVPN is an open source VPN

[skill][https][ssl/tls] HTTPS相关知识汇总

结论前置: A 身份验证 证书, 服务器证书 B 密钥协商 RSA   DHE / ECDHE   PSK C 加密通信 加密通信采用对称加密,使用B阶段协商出来的密钥. B 阶段如果使用 RSA 协商,可以用服务器证书在协商过程中解密到 C过程中的密钥.从而解密通信内容.(此方式下,采用旁路方式就可以). B 阶段如果使用DHE/ECDHE协商,至少需要建立链接时的server魔数(也许还需要私钥即服务器证书)才能计算出加密密钥.简单来说协商过程也是一次一密. 于是,应该有两种情况可以解密ht

详解IPSec VPN

防伪码:以爱之名,判你无期徒刑,在我心里执行. 前言:本章主要讲解IPSEC VPN相关理论概念,工作原理及配置过程.从安全和加密原理入手,讲解了IPSEC 在vpn对等体设备实现的安全特性,如数据的机密性.数据的完整性,数据验证等.重点分析IKE阶段1和阶段2的协商建立过程,为VPN等体间故障排查打下坚实的理论基础,最后,分别在cisco的路由器和防火墙上实现IPSEC VPN的应用和配置,并结合企业需求进行案例分析和讲解. 一. VPN概述 VPN技术起初是为了解决明文数据在网络上传输带来的

iOS学习之旅10 ATS(App Transport Security)对HTTPS协议要求引起的问题

问题描述 编写以下代码获取网络某个资源的MIMEType 1 -(void)getMIMEType 2 { 3 //路径 4 NSURL *url = [NSURL URLWithString:@"https://www.baidu.com/img/bd_logo1.png"]; 5 //请求对象 6 NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url]; 7 NSOperationQueue *

Android RakNet 系列之二 功能介绍

简介 RakNet 已经成功地在Android平台上测试成功.RakNet的文档很多,实现起来很简单,下面对Raknet功能细节进行详细了解. 详情 1.RakNet使用哪些数据结构? 结构文件 描述 DS_BinarySearchTree.h 二叉搜索树,以及AVL平衡二叉搜索树 DS_BPlusTree.h B+树,用于快速查询,删除,和插入 DS_BytePool.h 返回某个大小门限的数据块,减少内存碎片 DS_ByteQueue.h 用于读写字节的队列 DS_Heap.h 堆数据结构体