完美前向保密PFS

===========来自网友===========

“前向安全性”应当是叫做“forward security”。该定义最早是由Mihir Bellare和Sara K. Miner在 CRYPTO’99上提出的关于数字签名的性质[1]。
而“perfect forward secrecy”则是由Christoph G. Günther在EUROCRYPT ’89提出的，其最初用于定义会话密钥交换协议的一种安全性[2]。

(Perfect)Forward secrecy的大致意思是：用来产生会话密钥(session key)的长期密钥(long-term key)泄露出去，不会造成之前通讯时使用的会话密钥(session key)的泄露，也就不会暴漏以前的通讯内容。简单的说，当你丢了这个long-term key之后，你以后的行为的安全性无法保证，但是你之前的行为是保证安全的。
之所以Perfect加上括号，是因为这个词蕴含了无条件安全的性质，大部分的forward secrecy方案是无法达到Perfect的。
而forward security的保证的是：敌手获取到了你当前的密钥，但是也无法成功伪造一个过去的签名。

简单的说，这两个概念是用在不同的环境中，但是其意图是一样的：保证密钥丢失之前的消息安全性或签名的不可伪造性。
一般而言，满足Forward secrecy或者forward security的公钥环境下的（签名、密钥交换或加密）方案，其公钥是固定的，而密钥则随着时间进行更新。这个更新过程是单向的，因此也就保证了拿到当前的密钥，是无法恢复出以前的密钥，从而保证了“前向安全”。

与之相对应的还有“后向安全( backward secrecy或security)”的概念，不过这个概念研究的比较少，题主有兴趣可以自行查找该概念。

参考文献：
[1] Bellare, Mihir, and Sara K. Miner. "A forward-secure digital signature scheme." Advances in Cryptology—Crypto’99. Springer Berlin Heidelberg, 1999.
[2] Günther, Christoph G. "An identity-based key-exchange protocol." Advances in Cryptology—Eurocrypt’89. Springer Berlin Heidelberg, 1989.

===========维基百科===========

中文翻译在这里http://blog.csdn.net/gufachongyang02/article/details/53392842

Forward secrecy

From Wikipedia, the free encyclopedia

 

 

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of secret keys or passwords. If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.

Contents

[hide] 

• 1History
• 2Forward secrecy
• 3Attacks
• 4Weak perfect forward secrecy
• 5Protocols
• 6Use
• 7See also
• 8References
• 9External links

History[edit]

The term "perfect forward secrecy" was coined by C. G. Günther in 1990 and further discussed by Whitfield Diffie, Paul van Oorschot, and Michael James Wiener in 1992^[1] where it was used to describe a property of the Station-to-Station protocol.^[2]

Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.^[3]

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes (for two-party forward secrecy properties compare below 2WIPFS: "2-Way-Instant-Perfect-Forward-Secrecy").

Forward secrecy[edit]

A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm. This means that the compromise of one message cannot compromise others as well, and there is no one secret value whose acquisition would compromise multiple messages. This is not to be confused with the perfect secrecy demonstrated by one-time pads: when it is used properly, the one-time pad involves multiple parties agreeing on a set of disposable keys by communicating it fully in private—without a formalized key agreement system—and then using each key for one message only.

Attacks[edit]

Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.

Weak perfect forward secrecy[edit]

Weak perfect forward secrecy (wPFS) is the weaker property whereby when agents' long-term keys are compromised, the secrecy of previously established session-keys is guaranteed, but only for sessions in which the adversary did not actively interfere. This new notion, and the distinction between this and forward secrecy was introduced by Hugo Krawczyk in 2005.^[4][5] This weaker definition implicitly requires that full (perfect) forward secrecy maintains the secrecy of previously established session keys even in sessions where the adversary did actively interfere, or attempted to act as a man in the middle.

Protocols[edit]

This section relies too much on references to primary sources. Please improve this section by adding secondary or tertiary sources. (December 2015) (Learn how and when to remove this template message)

Forward secrecy is present in several major protocol implementations, such as SSH and as an optional feature in IPsec (RFC 2412). Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, provides forward secrecy as well as deniable encryption.

In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSA) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available. In theory, TLS can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer forward secrecy or only provide it with very low encryption grade.^[6]

OpenSSL supports forward secrecy using elliptic curve Diffie–Hellman since version 1.0,^[7] with a computational overhead of approximately 15%.^[8]

The Signal Protocol uses the Double Ratchet Algorithm to provide forward secrecy.^[9] The protocol was developed by Open Whisper Systems in 2013^[10] and was first introduced in theSignal app in February 2014.^[11] It has since been implemented into WhatsApp, Facebook Messenger, and Google Allo, encrypting the conversations of "more than a billion people worldwide".^[12]

On the other hand, among popular protocols currently in use, WPA doesn't support forward secrecy.

Use[edit]

Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services.^[7] Since November 2013, Twitter provided forward secrecy with TLS to its users.^[13] Wikis hosted by theWikimedia Foundation have all provided forward secrecy to users since July 2014.^[14]

Facebook reported as part of an investigation into email encryption that, as of May 2014, 74% of hosts that support STARTTLS also provide Forward Secrecy.^[15] As of June 2016, 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.^[16]

At WWDC 2016, Apple announced that all iOS apps would need to use "ATS" (App Transport Security), a feature which enforces the use of HTTPS transmission. Specifically, ATS requires the use of an encryption cipher that provides forward secrecy.^[17] ATS became mandatory for apps on Jan 1st, 2017.^[18]

See also[edit]

• Cryptography portal

• Forward anonymity
• Diffie–Hellman key exchange
• Elliptic curve Diffie–Hellman

References[edit]

1. Menzies, Alfred; van Oorscot, Paul C.; Vanstone, SCOTT (1997). Handbook of Applied Cryptography. CRC Pres.ISBN 0-8493-8523-7.
2. Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges" (PDF). Designs, Codes and Cryptography. 2(2): 107–125. doi:10.1007/BF00124891. Retrieved2013-09-07.
3. Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review. 26 (5): 5–26.CiteSeerX 10.1.1.81.2594 .doi:10.1145/242896.242897.
4. Krawczyk, Hugo (2005). HMQV: A High-Performance Secure Diffie-Hellman Protocol. Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. 3621. pp. 546–566. ISBN 978-3-540-28114-6.doi:10.1007/11535218_33.
5. Cremers, Cas; Feltz, Michèle (2015). "Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal" (PDF). Designs, Codes and Cryptography. Springer US. 74 (1): 183–218.doi:10.1007/s10623-013-9852-1. Retrieved 8 December2015.
6. Discussion on the TLS mailing list in October 2007
7. ^a b "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05.
8. Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05.
9. Unger, Nik; Dechand, Sergej; Bonneau, Joseph; Fahl, Sascha; Perl, Henning; Goldberg, Ian; Smith, Matthew (17–21 May 2015). "SoK: Secure Messaging" (PDF). 2015 IEEE Symposium on Security and Privacy. San Jose, CA: Institute of Electrical and Electronics Engineers: 241.doi:10.1109/SP.2015.22. Retrieved 4 December 2015.
10. Ermoshina, Ksenia; Musiani, Francesca; Halpin, Harry (September 2016). "End-to-End Encrypted Messaging Protocols: An Overview". In Bagnoli, Franco; et al.Internet Science. INSCI 2016. Florence, Italy: Springer. pp. 244–254. ISBN 978-3-319-45982-0. doi:10.1007/978-3-319-45982-0_22.
11. Donohue, Brian (24 February 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved 14 July2016.
12. "Moxie Marlinspike - 40 under 40". Fortune. Time Inc. 2016. Retrieved 22 September 2016.
13. Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter".Twitter. Twitter. Retrieved 25 November 2013.
14. "Tech/News/2014/27 - Meta". Wikimedia Foundation. 2014-06-30. Retrieved 30 June 2014.
15. "The Current State of SMTP STARTTLS Deployment". Retrieved 7 June 2014.
16. As of June 2, 2016. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2016-06-17.
17. https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14
18. "App Transport Security REQUIRED January 2017 | Apple Developer Forums". forums.developer.apple.com. Retrieved 2016-10-20.

External links[edit]

• RFC 2412 IETF, H. Orman. The OAKLEY Key Determination Protocol
• Forward-secure-survey An overview
• Forward Secrecy can block the NSA from secure web pages, but no one uses it Computerworld June 21, 2013
• SSL: Intercepted today, decrypted tomorrow Netcraft June 25, 2013
• Deploying Forward Secrecy SSL Labs June 25, 2013
• SSL Labs test for web browsers
• SSL Labs test for web servers

[hide]

• v
• t
• e

TLS and SSL

Protocols and technologies

• Transport Layer Security / Secure Sockets Layer (TLS/SSL)
• Datagram Transport Layer Security (DTLS)
• DNS Certification Authority Authorization (CAA)
• DNS-based Authentication of Named Entities (DANE)
• HTTPS
• HTTP Public Key Pinning (HPKP)
• HTTP Strict Transport Security (HSTS)
• OCSP stapling
• Perfect forward secrecy
• Server Name Indication (SNI)
• STARTTLS
• Application-Layer Protocol Negotiation (ALPN)

Public-key infrastructure

• Automated Certificate Management Environment (ACME)
• Certificate authority (CA)
• CA/Browser Forum
• Certificate policy
• Certificate revocation list (CRL)
• Domain-validated certificate (DV)
• Extended Validation Certificate (EV)
• Online Certificate Status Protocol (OCSP)
• Public key certificate
• Public-key cryptography
• Public key infrastructure (PKI)
• Root certificate
• Self-signed certificate

See also

• Domain Name System Security Extensions (DNSSEC)
• Internet Protocol Security (IPsec)
• Secure Shell (SSH)

History

• Export of cryptography from the United States
• Server-Gated Cryptography

Implementations

• Bouncy Castle
• BoringSSL
• Botan
• CryptoComply by SafeLogic
• cryptlib
• GnuTLS
• JSSE
• LibreSSL
• MatrixSSL
• mbed TLS
• NSS
• OpenSSL
• RSA BSAFE
• SChannel
• SSLeay
• stunnel
• wolfSSL

Notaries

• Certificate Transparency
• Convergence
• HTTPS Everywhere / SSL Observatory
• Perspectives Project

Vulnerabilities

 

Theory	Man-in-the-middle attack Padding oracle attack
Cipher	Bar mitzvah attack
Protocol	BEAST BREACH CRIME DROWN Logjam POODLE (in regards to SSL 3.0)
Implementation	Certificate authority compromise Random number generator attacks FREAK goto fail Heartbleed Lucky Thirteen attack POODLE (in regards to TLS 1.0)

Categories:

• Key management
• Public-key cryptography
• Transport Layer Security