Forward Security Question

Mon Nov 19 11:17:38 EST 2001

As further precedent, [JV96] provides a definition and rationale for FS in
preference to PFS:

"A key agreement protocol provides *forward secrecy* (perfect forward secrecy
in [7] and [9]) if the loss of any long-term secret keying material does not allow
the compromise of keys from previously wire-tapped sessions.  Since
*perfect* usually makes reference to information theory, we avoid it here."

[JV96]  M. Just and S. Vaudenay, "Authenticated multi-partykey agreement, "
in Advances in Cryptology -- EUROCRYPT '96, U. Maurer, Ed. 1996, number
1070 in Lecture Notes in Computer Science, Springer-Verlag, Berlin Germany. 
[7] = [DOW92], [9] = [Gun90]

Using this definition for a password-authenticated KAP, the password is
considered "long-term secret keying material".

At 10:03 AM 11/19/01 -0500, David Jablon wrote:
>[Std1363] defines "forward secrecy" as the property that:
>
>    "... prevents a passive opponent who merely recorded past communications
>    encrypted with the shared secret keys from decrypting them some time in
>    the future by compromising the parties’ cryptographic state."
>
>To support its definition of "two party forward secrecy", [Std1363] cites [Gun90]
>and [DOW92], the latter of which used (or introduced?) the modifier "perfect".
>
>Anonymous asks:
>> Can someone better explain how the "forward security" found in 
>> EKE/DH-EKE/SPEKE works?
>
>In the context of password-based key agreement schemes, the term "perfect
>forward secrecy" was used in [Jab96] to refer to the integrity of prior recorded
>communications in the face of a disclosure of the password.  This fits (at least)
>the Std1363 definition, as the password is part of the parties' cryptographic
>state.
>
>Anonymous asks:
>> Is it the same for each EKE variant, or does it 
>> work differently for each?
>
>The same basic [perfect] foward secrecy property is provided in each of
>these schemes, as well as several others.
>
>
>At 08:10 PM 11/18/01 -0800, Paul Krumviede wrote:
>>--On Sunday, 18 November, 2001 12:30 -0800 AARG!Anonymous <remailer at aarg.net> wrote:
>>
>>>Hi All,
>>>
>>>I have recently been reading about password-based authentication schemes,
>>>especially EKE and its variants.  The papers I've read on EKE, DH-EKE,
>>>and  SPEKE all refer to their "perfect forward security," though I have
>>>been  unable to find a formal definition of this property, or any
>>>detailed  explanation of what this really means.
>>
>>rfc 2828 has a discussion of this, but mentions that "this is to be a muddled
>>area."
>
>Unfortunately, RFC2828 itself may be seen as good source of the muddle
>regarding the term, in it's yet-another-definition of "public-key forward secrecy".
>
>
>References
>
>[DOW92]  W. Diffie, P. C. van Oorschot and M. J. Wiener, "Authentication and authenticated key exchanges," Designs, Codes and Cryptography 2 (1992), pp. 107-125.
>
>[Gun90]  C. G. Gunther, "An identity-based key-exchange protocol," J.-J. Quisquater and J. Vandewalle, editors, Advances in Cryptology - EUROCRYPT '89, Lecture Notes in Computer Science 434 (1990), Springer-Verlag, pp. 29-37.
>
>[Jab96]  D. Jablon, "Strong Password-Only Authenticated Key Exchange", Computer Communication Review, ACM SIGCOMM, vol. 26, no. 5, pp. 5-26, October 1996.
> 
>[Std1363]  IEEE Std 1363-2000, Standard Specifications for Public Key Cryptography, IEEE, August 2000, buried in annex D.5.1.7.
>
>
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com