Perfect Forward Secrecy

from Wikipedia, the free encyclopedia

Perfect Forward Secrecy ( PFS ), in German about perfect forward secrecy, is a property of certain key exchange protocols in cryptography , with the aim of agreeing a common session key between the communication partners in such a way that it cannot be reconstructed by a third party, if one of the two long-term keys is later compromised.

This means that recorded encrypted communication cannot be subsequently decrypted even if the long-term key is known. Occasionally, this property is also treated under the catchphrase lack of consequences , since a later exposure of the long-term key has no consequences for the security of all previous sessions. This property also emphasizes the alternative English designation break-backward protection .

background

In principle, every key can be uncovered - either through complex analysis processes, through spying, theft, bribery, blackmail, negligence on the part of the owner or through brute force , the random guessing of the key. For this reason, session keys are used that are repeatedly renegotiated at short intervals. An attacker who becomes aware of such a session key can therefore only decrypt the part of the communication that was encrypted with this session key.

However, all session keys are exposed to the risk of the long-term key being compromised which is used to securely transmit the session keys themselves. Knowing this long-term key, a possible attacker could decrypt all data traffic , in particular also the transmission of the session key, and thus gain access to all previous data traffic.

This is prevented by Perfect Forward Secrecy . A possible attacker cannot draw any conclusions about the negotiated session keys despite knowing the long-term key. With TLS this is achieved by the fact that the long-term key belongs to a signature process and is only used to sign short-term keys. A session key is negotiated with each of these by means of a Diffie-Hellman key exchange . If a server is compromised, the attacker only learns the long-term signature key and the session keys of currently active connections. The session keys of previous connections have already been deleted and can no longer be reconstructed.

practice

With today's standard methods, in which along with symmetric session key ( session key ) and asymmetrical master keys are used, these much longer-lived master key must ( master keys ) to be a communication channel PFS capable. Knowledge of one or both of the private keys of the communication endpoints must not make it easier for attackers to uncover the session keys.

A disadvantage of Perfect Forward Secrecy is the significantly higher effort required to generate session keys and the resulting lower processing speed . For this reason, it can be deactivated for some encryption methods (e.g. IPsec ).

In April 2019, the Federal Office for Information Security recommended the use of TLS 1.2 or TLS 1.3 in combination with Perfect Forward Secrecy in its security requirements for the use of TLS when transmitting data.

Of the major international IT companies, Google was the first to support the standard. Facebook , YouTube and others are now also using this method. Microsoft has been using the PFS standard since mid-2014 for HTTPS- protected communication between clients and the servers of Outlook.com , Microsoft OneDrive and Office 365 . The Wikimedia Foundation has also been supporting the standard for all wikis it hosts since July 2014. Apple , at its 2016er Developers Conference (WWDC) stated in 2017 only apps in the Apple AppStore to allow that communication via TLS 1.2 in conjunction with PFS in app Transport Security support.

According to the Trustworthy Internet Movement from January 2015, around 20.9 percent of all websites that use TLS encryption were configured to use cipher suites that support Perfect Forward Secrecy with modern browsers . A year later, in January 2016, it was already around 46.9 percent.

literature

  • Naganand Doraswamy, Dan Harkins: IPSec . The New Security Standard for the Internet, Intranets, and Virtual Private Networks. 2nd edition. Prentice Hall PTR, Upper Saddle River NJ 2003, ISBN 0-13-046189-X .

Norms and standards

Web links

Individual evidence

  1. ^ Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone: Handbook of Applied Cryptography . CRC Press, 1996, Definition 12.16, p. 496 ( uwaterloo.ca [PDF]).
  2. BSI - Transport Layer Security (TLS). Retrieved March 6, 2020 .
  3. ^ The better encryption , article by Christiane Schulzki-Haddouti in Zeit online from September 3, 2013
  4. Information on e-mail products ( Memento from December 28, 2014 in the Internet Archive ) (“Security” tab) freenet.de
  5. ^ Advancing our encryption and transparency ( July 2, 2014 memento in the Internet Archive ) , article by Matt Thomlinson in Microsoft TechNet July 1, 2014
  6. Tech / News / 2014/27 , Wikimedia
  7. What's New in Security - WWDC 2016 - Videos - Apple Developer. In: developer.apple.com. Retrieved June 27, 2016 .
  8. SSL Pulse . January 7, 2015. Archived from the original on May 15, 2017. Info: The archive link has been inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved January 10, 2015. @1@ 2Template: Webachiv / IABot / www.trustworthyinternet.org
  9. SSL Pulse . January 31, 2016. Archived from the original on January 30, 2016. Retrieved January 31, 2016.