Forward Security Question
Antonomasia
ant at notatla.demon.co.uk
Sun Nov 18 21:21:01 EST 2001
Anonymous asks:
> I have recently been reading about password-based authentication schemes,
> especially EKE and its variants. The papers I've read on EKE, DH-EKE, and
> SPEKE all refer to their "perfect forward security," though I have been
> unable to find a formal definition of this property, or any detailed
> explanation of what this really means. Does the "forward security" refer
> to the fact that if Eve knows a "K" Alice and Bob used two weeks ago, she
> cannot assume either of their identities for a current transaction? Or
> does it mean that even if Eve knows the current "K" in use by Alice and
> Bob's session, she cannot impersonate either of them? Or does it mean
> something else?
>
> Can someone better explain how the "forward security" found in
> EKE/DH-EKE/SPEKE works? Is it the same for each EKE variant, or does it
> work differently for each?
When a definition was sought in May 2000 it drew the reply:
From: Jerome Etienne <jetienne arobas.net>
> On Thu, May 04, 2000 at 09:40:14AM -0400, Arnold G. Reinhold wrote:
> > Can anyone point me to a good definition of "Perfect Forward Security"?
> In rfc2408 section 1.6.1 about ike, you can find one for perfect forward
> secrecy. Up to you to decide how relevant and good it is.
> " Perfect Forward Secrecy: As described in [DOW92], an authenticated
> key exchange protocol provides perfect forward secrecy if disclosure
> of longterm secret keying material does not compromise the secrecy of
> the exchanged keys from previous communications. The property of
> perfect forward secrecy does not apply to key exchange without
> authentication."
> [DOW92] Diffie, W., M.Wiener, P. Van Oorschot, Authentication and
> Authenticated Key Exchanges, Designs, Codes, and
> Cryptography, 2, 107-125, Kluwer Academic Publishers,
> 1992.
Destroying Diffie-Hellman key parameters gets you computational
secrecy; not information-theoretic secrecy.
An expired ID I have stored "Using the SRP protocol as a key exchange
method in Secure Shell" makes no mention of PFS.
--
##############################################################
# Antonomasia ant notatla.demon.co.uk #
# See http://www.notatla.demon.co.uk/ #
##############################################################
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list