Forward Security Question

Antonomasia ant at notatla.demon.co.uk
Sun Nov 18 21:21:01 EST 2001 

Anonymous asks:

> I have recently been reading about password-based authentication schemes, 
> especially EKE and its variants.  The papers I've read on EKE, DH-EKE, and 
> SPEKE all refer to their "perfect forward security," though I have been 
> unable to find a formal definition of this property, or any detailed 
> explanation of what this really means.  Does the "forward security" refer 
> to the fact that if Eve knows a "K" Alice and Bob used two weeks ago, she 
> cannot assume either of their identities for a current transaction?  Or 
> does it mean that even if Eve knows the current "K" in use by Alice and 
> Bob's session, she cannot impersonate either of them?  Or does it mean 
> something else?
> 
> Can someone better explain how the "forward security" found in 
> EKE/DH-EKE/SPEKE works?  Is it the same for each EKE variant, or does it 
> work differently for each?


When a definition was sought in May 2000 it drew the reply:

From: Jerome Etienne <jetienne arobas.net>

> On Thu, May 04, 2000 at 09:40:14AM -0400, Arnold G. Reinhold wrote:
> > Can anyone point me to a good definition of "Perfect Forward Security"?

> In rfc2408 section 1.6.1 about ike, you can find one for perfect forward
> secrecy. Up to you to decide how relevant and good it is.

> "  Perfect Forward Secrecy: As described in [DOW92], an authenticated
>    key exchange protocol provides perfect forward secrecy if disclosure
>    of longterm secret keying material does not compromise the secrecy of
>    the exchanged keys from previous communications.  The property of
>    perfect forward secrecy does not apply to key exchange without
>    authentication."

>    [DOW92]    Diffie, W., M.Wiener, P. Van Oorschot, Authentication and
>               Authenticated Key Exchanges, Designs, Codes, and
>               Cryptography, 2, 107-125, Kluwer Academic Publishers,
>               1992.

Destroying Diffie-Hellman key parameters gets you computational
secrecy; not information-theoretic secrecy.

An expired ID I have stored "Using the SRP protocol as a key exchange
method in Secure Shell" makes no mention of PFS.


--
##############################################################
# Antonomasia   ant notatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list