Next revision | Previous revisionNext revisionBoth sides next revision |
pgpfan:forward_secrecy [2020/05/27 19:11] – created b.walzer | pgpfan:forward_secrecy [2020/07/14 17:51] – The major rewrite b.walzer |
---|
======Forward Secrecy====== | ======Forward Secrecy====== |
| |
Someone gets access to your PGP private key(s). What to they get? | The PGP protocol is sometimes criticized because it lacks a feature called [[wp>Forward_secrecy|forward secrecy]]. It goes something like this: |
| |
- Access to any of your future incoming PGP protected email that they can see in transit. | Some process is used to come up with a temporary key known only to you and your correspondent (e.g. [[wp>Diffie–Hellman key exchange]]). That key is used to encrypt the message. After the message is transferred and decrypted that temporary key is destroyed. Since the key is gone the message is inaccessible. The goal is to permanently prevent access to your message after it has been transferred. |
- Access to your archived email. | |
- Access to any of your past incoming PGP protected email that they recorded in transit. | |
| |
[[wp>Forward_secrecy|Forward secrecy]] addresses the third issue. Some process is used to come up with a temporary key known only to you and your correspondent (e.g. [[wp>Diffie–Hellman key exchange]]). That key is used to encrypt the message. After the message is transferred and decrypted that temporary key is destroyed. That way any of your protected emails intercepted by someone will stay protected unless that someone figures out how to break the underlying crytographic algorithm(s). That is normally much harder than stealing your private key(s). | |
| |
Real time forward secrecy requires a end to end, bidirectional communications channel to establish a temporary key. Email is inherently unidirectional and allows the email to be stored and forwarded. Old emails tend to be relatively valuable and are often archived. That makes forward secrecy pointless in practice. Whatever method is used to get the private keys could be used to get access to the archives. | The first important point is that forward secrecy depends on the integrity of the encryption. If someone manages to break the encryption on your old messages they will still get access to them. |
| |
You can get the result of forward secrecy by using PGP with a bit of forethought. You and your correspondent(s) would create subkeys specifically for the discussion that is to be forgotten. Those keys would be used for that discussion for as long as could be considered prudent. That might be many years; sometimes the only requirement is that a discussion //can// be forgotten. Then you and your correspondent(s) delete the subkeys. That will also permanently remove access to any archived emails. wherever they ended up. A system that provided real time forward secrecy would need a separate archive system and thus would likely require some careful deletion if such an archive was kept. The PGP case allows a complete archive with no extra risk. This is a benefit of the PGP encrypt once scheme. | The second important point comes from the first. Since forward secrecy depends on the integrity of the encryption it will only be superior in the case where someone gets access to your private key information. For the end to end encryption case that will mean compromising an end device. |
| |
| If someone compromises your end device then they have access to whatever you have access to. They can acquire any passwords or passphrases with a key logger. They can see what you see on the screen either at the character stream level or with screenshots. There are two important implications here: |
| |
| * They get access to any saved messages. For forward secrecy to work you must give up message archiving. |
| * They get access to any transferred messages. Forward secrecy is of no value after a compromise. |
| |
| Forward secrecy requires an end to end, bidirectional communications channel to establish a temporary key. So it is normally not usable with offline messaging. Adding an offline messaging capability to a system supporting forward secrecy involves creating an extra subsystem (e.g. the Signal protocol prekey system). A forward secrecy supporting system by necessity also requires a separate subsystem for message archiving. As a contrast, PGP is able to support offline messaging, online messaging and message archiving in the same simple straightforward way. So the cost of forward secrecy is either significant extra complexity or the lack of support for an important messaging mode. |
| |
| In the case of something like encrypted email where archived messages almost always exist the benefit of forward secrecy is not worth the cost of the extra complexity. That is probably true for any end to end encrypted messaging application with an offline message delivery capability where messages are normally kept. |
| |
| [[pgpfan:index|PGP FAN index]] |
| |