| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| pgpfan:forward_secrecy [2020/06/11 01:08] – index b.walzer | pgpfan:forward_secrecy [2020/07/14 17:51] – The major rewrite b.walzer |
|---|
| ======Forward Secrecy====== | ======Forward Secrecy====== |
| |
| The PGP protocol is sometimes criticized because it lacks a feature called [[wp>Forward_secrecy|forward secrecy]]. Some process is used to come up with a temporary key known only to you and your correspondent (e.g. [[wp>Diffie–Hellman key exchange]]). That key is used to encrypt the message. After the message is transferred and decrypted that temporary key is destroyed. | The PGP protocol is sometimes criticized because it lacks a feature called [[wp>Forward_secrecy|forward secrecy]]. It goes something like this: |
| |
| Forward secrecy requires an end to end, bidirectional communications channel to establish a temporary key. So it is normally not usable with offline messaging. Adding an offline messaging capability to a system supporting forward secrecy involves creating an extra subsystem (e.g. the Signal protocol prekey system). PGP is able to support both offline and online messaging in the same simple straightforward way. So the cost of forward secrecy is either significant extra complexity or the lack of support for an important messaging mode. The next three subsections break out the potential benefit of forward secrecy after some sort of loss of system secrecy. | Some process is used to come up with a temporary key known only to you and your correspondent (e.g. [[wp>Diffie–Hellman key exchange]]). That key is used to encrypt the message. After the message is transferred and decrypted that temporary key is destroyed. Since the key is gone the message is inaccessible. The goal is to permanently prevent access to your message after it has been transferred. |
| |
| =====Message Archives===== | The first important point is that forward secrecy depends on the integrity of the encryption. If someone manages to break the encryption on your old messages they will still get access to them. |
| |
| If someone gains access to one of your private PGP encryption keys then they can decrypt all the archived email that was originally sent to the associated identity. A system with forward secrecy requires a separate system to save and encrypt archived messages. That system can't be made any more secure than a system for protecting a PGP private key. If a better system was invented then you could use it to protect your PGP keys. | The second important point comes from the first. Since forward secrecy depends on the integrity of the encryption it will only be superior in the case where someone gets access to your private key information. For the end to end encryption case that will mean compromising an end device. |
| |
| There is no practical security difference between PGP and a system providing forward secrecy for the case of message archives. | If someone compromises your end device then they have access to whatever you have access to. They can acquire any passwords or passphrases with a key logger. They can see what you see on the screen either at the character stream level or with screenshots. There are two important implications here: |
| |
| =====Post-Compromise===== | * They get access to any saved messages. For forward secrecy to work you must give up message archiving. |
| | * They get access to any transferred messages. Forward secrecy is of no value after a compromise. |
| |
| If someone gains access to one of your private PGP encryption keys then they can then decrypt any intercepted email sent to the associated identity. If someone gains access to a private key associated with an identity used in a forward secrecy system then they only gain the ability to impersonate you. They still don't have access to shared keys you might negotiate with your correspondents so they can't decrypt passively intercepted messages. | Forward secrecy requires an end to end, bidirectional communications channel to establish a temporary key. So it is normally not usable with offline messaging. Adding an offline messaging capability to a system supporting forward secrecy involves creating an extra subsystem (e.g. the Signal protocol prekey system). A forward secrecy supporting system by necessity also requires a separate subsystem for message archiving. As a contrast, PGP is able to support offline messaging, online messaging and message archiving in the same simple straightforward way. So the cost of forward secrecy is either significant extra complexity or the lack of support for an important messaging mode. |
| |
| This only works for the case where the access is only a copy of your private key. If your opponent gets write access to your device they can probably leverage that into access to your messages going forward. Gaining access to a pass-phrase protected PGP private key requires at least enough access to install a key-logger (or equivalent) which implies write access. The ability to impersonate you would normally give them at least partial access to your discussions. | In the case of something like encrypted email where archived messages almost always exist the benefit of forward secrecy is not worth the cost of the extra complexity. That is probably true for any end to end encrypted messaging application with an offline message delivery capability where messages are normally kept. |
| | |
| A system providing forward secrecy has a theoretical advantage in this case, but in practice the advantage would likely be minimal. | |
| | |
| =====Pre-Compromise===== | |
| | |
| This assumes that there is someone with enough foresight to record your encrypted messages off the network. That message archive can be decrypted if they have access to your PGP private key, as before. That archive is useless in the case of a forward secrecy supporting system as the decryption key(s) have been destroyed. | |
| | |
| This is the advantage of forward secrecy. | |
| | |
| =====Conclusions===== | |
| | |
| Forward secrecy removes the value of encrypted messages collected off the network before a compromise. Forward secrecy increases protocol complexity. The cost of that complexity has to be weighed against the possibility of that particular attack. | |
| | |
| The value provided by a forward secrecy system is mostly negated for those messages that are archived. If you truly want the messages to be gone for others you have to have to make them gone for you as well. This is a fairly heavy price to pay to guard against an obscure and unlikely attack. | |
| | |
| I should point out here that the deletion of a PGP private key removes access to all archived messages, everywhere, instantly as there is no separate archiving system. That is a benefit of the PGP encrypt once scheme. Key deletion is thus a PGP answer to forward secrecy. Modern PGP systems use separate signing and encryption keys by default so it would be reasonably easy to recover from such a deletion. That is even if you did not have the foresight to use a dedicated key for the discussion that was to be forgotten. You would still retain all your identities. | |
| |
| [[pgpfan:index|PGP FAN index]] | [[pgpfan:index|PGP FAN index]] |
| |
| |
