pgpfan:forward_secrecy
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
pgpfan:forward_secrecy [2020/06/22 20:58] – [Conclusions] shorter is better b.walzer | pgpfan:forward_secrecy [2020/07/14 17:51] – The major rewrite b.walzer | ||
---|---|---|---|
Line 1: | Line 1: | ||
======Forward Secrecy====== | ======Forward Secrecy====== | ||
- | The PGP protocol is sometimes criticized because it lacks a feature called [[wp> | + | The PGP protocol is sometimes criticized because it lacks a feature called [[wp> |
- | Forward secrecy requires an end to end, bidirectional communications channel to establish | + | Some process is used to come up with a temporary key known only to you and your correspondent |
- | =====Message Archives===== | + | The first important point is that forward secrecy depends on the integrity of the encryption. If someone manages to break the encryption on your old messages they will still get access to them. |
- | If someone gains access to one of your private PGP encryption keys then they can decrypt all the archived email that was originally sent to the associated identity. A system with forward secrecy | + | The second important point comes from the first. Since forward secrecy |
- | There is no practical security difference between PGP and a system providing forward secrecy for the case of message archives. | + | If someone compromises your end device then they have access to whatever you have access to. They can acquire any passwords or passphrases with a key logger. They can see what you see on the screen either at the character stream level or with screenshots. There are two important implications here: |
- | =====Post-Compromise===== | + | * They get access to any saved messages. For forward secrecy to work you must give up message archiving. |
+ | * They get access to any transferred messages. Forward secrecy is of no value after a compromise. | ||
- | If someone gains access | + | Forward secrecy requires an end to end, bidirectional communications channel |
- | This only works for the case where the access is only a copy of your private key. If your opponent gets write access to your device they can probably leverage that into access to your messages going forward. Gaining access to a pass-phrase protected PGP private key requires at least enough access to install a key-logger (or equivalent) which implies write access. The ability to impersonate you would normally give them at least partial access to your discussions. | + | In the case of something like encrypted email where archived messages |
- | + | ||
- | A system providing forward secrecy has a theoretical advantage in this case, but in practice the advantage would likely be minimal. | + | |
- | + | ||
- | =====Pre-Compromise===== | + | |
- | + | ||
- | This assumes that there is someone with enough foresight (and [[starttls|ability]]) to record your encrypted | + | |
- | + | ||
- | This is the advantage of forward secrecy. | + | |
- | + | ||
- | =====Conclusions===== | + | |
- | + | ||
- | Forward secrecy removes the value of encrypted messages collected off the network before a compromise. It is fairly pointless if there are saved/archived messages. Forward secrecy increases protocol complexity. The cost of that complexity has to be weighed against | + | |
- | + | ||
- | I should point out here that the deletion of a PGP private key removes access to all archived messages, everywhere, instantly as there is no separate archiving system. That is a benefit | + | |
[[pgpfan: | [[pgpfan: | ||
- | |||
pgpfan/forward_secrecy.txt · Last modified: 2022/03/19 21:50 by b.walzer