完美前向保密PFS
===========来自网友===========
“前向安全性”应当是叫做“forward security”。该定义最早是由Mihir Bellare和Sara K. Miner在 CRYPTO’99上提出的关于数字签名的性质[1]。
而“perfect forward secrecy”则是由Christoph G. Günther在EUROCRYPT ’89提出的,其最初用于定义会话密钥交换协议的一种安全性[2]。
(Perfect)Forward secrecy的大致意思是:用来产生会话密钥(session key)的长期密钥(long-term key)泄露出去,不会造成之前通讯时使用的会话密钥(session key)的泄露,也就不会暴漏以前的通讯内容。简单的说,当你丢了这个long-term key之后,你以后的行为的安全性无法保证,但是你之前的行为是保证安全的。
之所以Perfect加上括号,是因为这个词蕴含了无条件安全的性质,大部分的forward secrecy方案是无法达到Perfect的。
而forward security的保证的是:敌手获取到了你当前的密钥,但是也无法成功伪造一个过去的签名。
简单的说,这两个概念是用在不同的环境中,但是其意图是一样的:保证密钥丢失之前的消息安全性或签名的不可伪造性。
一般而言,满足Forward secrecy或者forward security的公钥环境下的(签名、密钥交换或加密)方案,其公钥是固定的,而密钥则随着时间进行更新。这个更新过程是单向的,因此也就保证了拿到当前的密钥,是无法恢复出以前的密钥,从而保证了“前向安全”。
与之相对应的还有“后向安全( backward secrecy或security)”的概念,不过这个概念研究的比较少,题主有兴趣可以自行查找该概念。
参考文献:
[1] Bellare, Mihir, and Sara K. Miner. "A forward-secure digital signature scheme." Advances in Cryptology—Crypto’99. Springer Berlin Heidelberg, 1999.
[2] Günther, Christoph G. "An identity-based key-exchange protocol." Advances in Cryptology—Eurocrypt’89. Springer Berlin Heidelberg, 1989.
===========维基百科===========
中文翻译在这里http://blog.csdn.net/gufachongyang02/article/details/53392842
Forward secrecy
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of secret keys or passwords. If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.
Contents
[hide]
History[edit]
The term "perfect forward secrecy" was coined by C. G. Günther in 1990 and further discussed by Whitfield Diffie, Paul van Oorschot, and Michael James Wiener in 1992[1] where it was used to describe a property of the Station-to-Station protocol.[2]
Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.[3]
Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes (for two-party forward secrecy properties compare below 2WIPFS: "2-Way-Instant-Perfect-Forward-Secrecy").
Forward secrecy[edit]
A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm. This means that the compromise of one message cannot compromise others as well, and there is no one secret value whose acquisition would compromise multiple messages. This is not to be confused with the perfect secrecy demonstrated by one-time pads: when it is used properly, the one-time pad involves multiple parties agreeing on a set of disposable keys by communicating it fully in private—without a formalized key agreement system—and then using each key for one message only.
Attacks[edit]
Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.
Weak perfect forward secrecy[edit]
Weak perfect forward secrecy (wPFS) is the weaker property whereby when agents' long-term keys are compromised, the secrecy of previously established session-keys is guaranteed, but only for sessions in which the adversary did not actively interfere. This new notion, and the distinction between this and forward secrecy was introduced by Hugo Krawczyk in 2005.[4][5] This weaker definition implicitly requires that full (perfect) forward secrecy maintains the secrecy of previously established session keys even in sessions where the adversary did actively interfere, or attempted to act as a man in the middle.
Protocols[edit]
![]() |
This section relies too much on references to primary sources. Please improve this section by adding secondary or tertiary sources. (December 2015) (Learn how and when to remove this template message) |
Forward secrecy is present in several major protocol implementations, such as SSH and as an optional feature in IPsec (RFC 2412). Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, provides forward secrecy as well as deniable encryption.
In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSA) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available. In theory, TLS can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer forward secrecy or only provide it with very low encryption grade.[6]
OpenSSL supports forward secrecy using elliptic curve Diffie–Hellman since version 1.0,[7] with a computational overhead of approximately 15%.[8]
The Signal Protocol uses the Double Ratchet Algorithm to provide forward secrecy.[9] The protocol was developed by Open Whisper Systems in 2013[10] and was first introduced in theSignal app in February 2014.[11] It has since been implemented into WhatsApp, Facebook Messenger, and Google Allo, encrypting the conversations of "more than a billion people worldwide".[12]
On the other hand, among popular protocols currently in use, WPA doesn't support forward secrecy.
Use[edit]
Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services.[7] Since November 2013, Twitter provided forward secrecy with TLS to its users.[13] Wikis hosted by theWikimedia Foundation have all provided forward secrecy to users since July 2014.[14]
Facebook reported as part of an investigation into email encryption that, as of May 2014, 74% of hosts that support STARTTLS also provide Forward Secrecy.[15] As of June 2016, 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.[16]
At WWDC 2016, Apple announced that all iOS apps would need to use "ATS" (App Transport Security), a feature which enforces the use of HTTPS transmission. Specifically, ATS requires the use of an encryption cipher that provides forward secrecy.[17] ATS became mandatory for apps on Jan 1st, 2017.[18]
See also[edit]
References[edit]
- Menzies, Alfred; van Oorscot, Paul C.; Vanstone, SCOTT (1997). Handbook of Applied Cryptography. CRC Pres.ISBN 0-8493-8523-7.
- Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges" (PDF). Designs, Codes and Cryptography. 2(2): 107–125. doi:10.1007/BF00124891. Retrieved2013-09-07.
- Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review. 26 (5): 5–26.CiteSeerX 10.1.1.81.2594
.doi:10.1145/242896.242897.
- Krawczyk, Hugo (2005). HMQV: A High-Performance Secure Diffie-Hellman Protocol. Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. 3621. pp. 546–566. ISBN 978-3-540-28114-6.doi:10.1007/11535218_33.
- Cremers, Cas; Feltz, Michèle (2015). "Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal" (PDF). Designs, Codes and Cryptography. Springer US. 74 (1): 183–218.doi:10.1007/s10623-013-9852-1. Retrieved 8 December2015.
- Discussion on the TLS mailing list in October 2007
- a b "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05.
- Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05.
- Unger, Nik; Dechand, Sergej; Bonneau, Joseph; Fahl, Sascha; Perl, Henning; Goldberg, Ian; Smith, Matthew (17–21 May 2015). "SoK: Secure Messaging" (PDF). 2015 IEEE Symposium on Security and Privacy. San Jose, CA: Institute of Electrical and Electronics Engineers: 241.doi:10.1109/SP.2015.22. Retrieved 4 December 2015.
- Ermoshina, Ksenia; Musiani, Francesca; Halpin, Harry (September 2016). "End-to-End Encrypted Messaging Protocols: An Overview". In Bagnoli, Franco; et al.Internet Science. INSCI 2016. Florence, Italy: Springer. pp. 244–254. ISBN 978-3-319-45982-0. doi:10.1007/978-3-319-45982-0_22.
- Donohue, Brian (24 February 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved 14 July2016.
- "Moxie Marlinspike - 40 under 40". Fortune. Time Inc. 2016. Retrieved 22 September 2016.
- Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter".Twitter. Twitter. Retrieved 25 November 2013.
- "Tech/News/2014/27 - Meta". Wikimedia Foundation. 2014-06-30. Retrieved 30 June 2014.
- "The Current State of SMTP STARTTLS Deployment". Retrieved 7 June 2014.
- As of June 2, 2016. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2016-06-17.
- https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14
- "App Transport Security REQUIRED January 2017 | Apple Developer Forums". forums.developer.apple.com. Retrieved 2016-10-20.
External links[edit]
- RFC 2412 IETF, H. Orman. The OAKLEY Key Determination Protocol
- Forward-secure-survey An overview
- Forward Secrecy can block the NSA from secure web pages, but no one uses it Computerworld June 21, 2013
- SSL: Intercepted today, decrypted tomorrow Netcraft June 25, 2013
- Deploying Forward Secrecy SSL Labs June 25, 2013
- SSL Labs test for web browsers
- SSL Labs test for web servers
完美前向保密PFS的更多相关文章
- SSL/TLS 协议运行机制概述(二)
SSL/TLS 协议运行机制概述(二) 在SSL/TLS 协议运行机制概述(一)中介绍了TLS 1.2 的运行机制,现在我们来看年 TLS 1.3 的运行机制.会涉及到SSL/TLS 协议运行机制概述 ...
- 【OWASP TOP10】2021年常见web安全漏洞TOP10排行
[2021]常见web安全漏洞TOP10排行 应用程序安全风险 攻击者可以通过应用程序中许多的不同的路径方式去危害企业业务.每种路径方法都代表了一种风险,这些风险都值得关注. 什么是 OWASP TO ...
- 写给开发人员的实用密码学(三)—— MAC 与密钥派生函数 KDF
目录 一.MAC 消息认证码 MAC 与哈希函数.数字签名的区别 MAC 的应用 1. 验证消息的真实性.完整性 2. AE 认证加密 - Authenticated encryption 3. 基于 ...
- 写给开发人员的实用密码学(七)—— 非对称密钥加密算法 RSA/ECC
本文部分内容翻译自 Practical-Cryptography-for-Developers-Book,笔者补充了密码学历史以及 openssl 命令示例,并重写了 RSA/ECC 算法原理.代码示 ...
- 配置HTTPS加密的快速参考指南
Nginx ssl_protocols TLSv1 TLSv1.1 TLSv1.2 阿帕奇 SSLProtocol All -SSLv2 -SSLv3 密码套房 选择密码套件可能很困难,它们的名称可能 ...
- 以太坊RLPx传输协议
本文主要内容翻译自:The RLPx Transport Protocol,其中添加了一些个人的理解,由于密码学水平有限,不正确之处望指正.另外原文可能已经更新,最新内容请直接阅读原文. 本文档定义了 ...
- 读书笔记_python网络编程3(6)
6.TLS/SSL 6.0. 传输层安全协议(TLS, Transport Layer Security)是如今web上应用最广泛的加密方法了,1999年成为互联网标准.前身是安全套接层(SSL, S ...
- AWS 数据传输加速(八)
AWS CloudFront 概述 一个CDN服务,加快网页和其它下载全球分布式网络缓存服务器 CloudFront通过全球性的边缘站点将内容缓存到世界各地实现CDN 在更邻近的位置提供更低的延迟,更 ...
- SSL/TLS 协议运行机制概述(一)
SSL/TLS 协议运行机制概述(一) SSL/TLS 发展史 1994年,NetScape 设计了SSL协议(Secure Sockets Layer) 1.0,未正式发布 1995年,NetSca ...
随机推荐
- thinkphp5, 模板继承、模板布局
---------------------------------------------------------------------------------------------------- ...
- DDD开源框架
DDD开源框架: ABP ENODE https://github.com/VirtoCommerce/vc-community APWorks https://github.com/daxnet/B ...
- IO密集型操作时,为什么线程比进程更好?
在IO密集型的操作时,进程线程都不会太占用CPU,但是进程消耗的资源比较多.
- php基本语法与函数
1.标记与注释 <?php 代码 ?> 用/* */注释一段代码, 用 // 注释一行代码 /** */文档注释 注意:若php下面只有php代码没有别的代码,那么最好不要加 ...
- iOS UITableViewCell UITableVIewController 纯代码开发
iOS UITableViewCell UITableVIewController 纯代码开发 <原创> .纯代码 自定义UITableViewCell 直接上代码 ////// #imp ...
- 第七篇、os、sys、random、time、datetime、logging
一.sys 用于提供对Python解释器相关的操作: 1 2 3 4 5 6 7 8 9 sys.argv 命令行参数List,第一个元素是程序本身路径 sys.exit(n) ...
- hihocoder 1142 三分求极值【三分算法 模板应用】
#1142 : 三分·三分求极值 时间限制:10000ms 单点时限:1000ms 内存限制:256MB 描述 这一次我们就简单一点了,题目在此: 在直角坐标系中有一条抛物线y=ax^2+bx+c和一 ...
- vim配置与使用
Vim 是一个上古神器,本篇文章主要持续总结使用 Vim 的过程中不得不了解的一些指令和注意事项,以及持续分享一个前端工作者不得不安装的一些插件,而关于 Vim 的简介,主题的选择,以及为何使用 vi ...
- HTTPSQS(HTTP Simple Queue Service)消息队列
HTTPSQS(HTTP Simple Queue Service)是一款基于 HTTP GET/POST 协议的轻量级开源简单消息队列服务,使用 Tokyo Cabinet 的 B+Tree Key ...
- Spring Cloud之Swagger2 API接口管理
随着微服务架构体系的发展和应用, 为了前后端能够更好的集成与对接,同时为了项目的方便交付,每个项目都需要提供相应的API文档. 来源:PC端.微信端.H5端.移动端(安卓和IOS端) 传统的API文档 ...