Forward Security Question

David Jablon dpj at world.std.com
Mon Nov 19 10:03:45 EST 2001 

[Std1363] defines "forward secrecy" as the property that:

        "... prevents a passive opponent who merely recorded past communications        encrypted with the shared secret keys from decrypting them some time in         the future by compromising the parties’ cryptographic state."

To support its definition of "two party forward secrecy", [Std1363] cites [Gun90]
and [DOW92], the latter of which used (or introduced?) the modifier "perfect".

Anonymous asks:
> Can someone better explain how the "forward security" found in 
> EKE/DH-EKE/SPEKE works?

In the context of password-based key agreement schemes, the term "perfect
forward secrecy" was used in [Jab96] to refer to the integrity of prior recorded
communications in the face of a disclosure of the password.  This fits (at least)
the Std1363 definition, as the password is part of the parties' cryptographic
state.

Anonymous asks:
> Is it the same for each EKE variant, or does it 
> work differently for each?

The same basic [perfect] foward secrecy property is provided in each of
these schemes, as well as several others.


At 08:10 PM 11/18/01 -0800, Paul Krumviede wrote:
>--On Sunday, 18 November, 2001 12:30 -0800 AARG!Anonymous <remailer at aarg.net> wrote:
>
>>Hi All,
>>
>>I have recently been reading about password-based authentication schemes,
>>especially EKE and its variants.  The papers I've read on EKE, DH-EKE,
>>and  SPEKE all refer to their "perfect forward security," though I have
>>been  unable to find a formal definition of this property, or any
>>detailed  explanation of what this really means.
>
>rfc 2828 has a discussion of this, but mentions that "this is to be a muddled
>area."

Unfortunately, RFC2828 itself may be seen as good source of the muddle
regarding the term, in it's yet-another-definition of "public-key forward secrecy".


References

[DOW92]  W. Diffie, P. C. van Oorschot and M. J. Wiener, "Authentication and authenticated key exchanges," Designs, Codes and Cryptography 2 (1992), pp. 107-125.

[Gun90]  C. G. Gunther, "An identity-based key-exchange protocol," J.-J. Quisquater and J. Vandewalle, editors, Advances in Cryptology - EUROCRYPT '89, Lecture Notes in Computer Science 434 (1990), Springer-Verlag, pp. 29-37.

[Jab96]  D. Jablon, "Strong Password-Only Authenticated Key Exchange", Computer Communication Review, ACM SIGCOMM, vol. 26, no. 5, pp. 5-26, October 1996.
 
[Std1363]  IEEE Std 1363-2000, Standard Specifications for Public Key Cryptography, IEEE, August 2000, buried in annex D.5.1.7.





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list