The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


pgpfan:forward_secrecy

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
pgpfan:forward_secrecy [2020/06/22 20:58] – [Conclusions] shorter is better b.walzerpgpfan:forward_secrecy [2022/03/19 21:50] (current) – Redundant, poorly worded. b.walzer
Line 1: Line 1:
 ======Forward Secrecy====== ======Forward Secrecy======
  
-The PGP protocol is sometimes criticized because it lacks a feature called [[wp>Forward_secrecy|forward secrecy]]. Some process is used to come up with a temporary key known only to you and your correspondent (e.g. [[wp>Diffie–Hellman key exchange]]). That key is used to encrypt the message. After the message is transferred and decrypted that temporary key is destroyed.+The PGP protocol is sometimes criticized because it lacks a feature called [[wp>Forward_secrecy|forward secrecy]]. Forward secrecy is intended to reduce or eliminate the effects of an attack that goes like this:
  
-Forward secrecy requires an end to end, bidirectional communications channel to establish a temporary keySo it is normally not usable with offline messaging. Adding an offline messaging capability to a system supporting forward secrecy involves creating an extra subsystem (e.g. the Signal protocol prekey system). PGP is able to support both offline and online messaging in the same simple straightforward way. So the cost of forward secrecy is either significant extra complexity or the lack of support for an important messaging mode. The next three subsections break out the potential benefit of forward secrecy after some sort of loss of system secrecy.+  * Some adversary records your encrypted messages and creates an archive of then without your knowledge or consent. 
 +  * Optionally the adversary can attempt to break the encryption on your messagesIf they are successful then forward secrecy provides no value. 
 +  * They then attack the place the secret key information is stored (usually an end device) to get the information required to decrypt their surreptitious archive of your encrypted messages.
  
-=====Message Archives=====+So starting out we are talking about a two phase attack that requires access to an end point and significant preplanning.
  
-If someone gains access to one of your private PGP encryption keys then they can decrypt all the archived email that was originally sent to the associated identityA system with forward secrecy requires a separate system to save and encrypt archived messages. That system can't be made any more secure than a system for protecting a PGP private key. If a better system was invented then you could use it to protect your PGP keys.+If we are talking about OpenPGP over email then creating an archive of your encrypted messages from monitoring the network is not really possible any more. Most email in transit is now separately encrypted on the network using TLSThe same situation exists for OpenPGP over XMPP.
  
-There is no practical security difference between PGP and a system providing forward secrecy for the case of message archives.+So a practical attack would involve the compromise of not just your end point but your email server as well. The attacker would have to first compromise your email server, wait to build up an archive of your messages and then compromise your end device to get the secret key material to decrypt their archive. It would make more sense for an attacker to go for your end device in the first place and end up with the same material, sooner.
  
-=====Post-Compromise=====+Email messages are normally kept indefinitely and that tends to be the default even on systems that provide forward secrecy. If the attacker gets your secret key material then they pretty much for sure are going to be able to get access to your archived messages at the same time. Very few people are willing to go without a message archive so forward secrecy is unlikely to help in most practical cases of messaging.
  
-If someone gains access to one of your private PGP encryption keys then they can then decrypt any intercepted email sent to the associated identityIf someone gains access to a private key associated with an identity used in a forward secrecy system then they only gain the ability to impersonate youThey still don't have access to shared keys you might negotiate with your correspondents so they can't decrypt passively intercepted messages.+Reduced to the essence: forward secrecy is where you delete the encryption key protecting some encrypted data to prevent that key from falling into the possession of an attacker that already has that encrypted dataThere is nothing preventing any system from doing that, even something based on the OpenPGP standardFor a practical demonstration see: [[pgpfan:gpgburn|A Demonstration of Message Burning Through Encryption using GnuPG]].
  
-This only works for the case where the access is only a copy of your private key. If your opponent gets write access to your device they can probably leverage that into access to your messages going forward. Gaining access to a pass-phrase protected PGP private key requires at least enough access to install a key-logger (or equivalent) which implies write access. The ability to impersonate you would normally give them at least partial access to your discussions.+Hardly anyone ever does forward secrecy with OpenPGPWhy not? It's easy to do in technical sense and would not cause your correspondents to have to reverify your identity.
  
-A system providing forward secrecy has theoretical advantage in this case, but in practice the advantage would likely be minimal.+In 2020 company called Cellebrite announced that they had a specific Signal Messenger data interpretation facility that would be useful in the event that their forensic box broke into the smartphone that Signal was running on(([[https://web.archive.org/web/20201210150311/https://www.cellebrite.com/en/blog/cellebrites-new-solution-for-decrypting-the-signal-app/|Cellebrite’s New Solution for Decrypting the Signal App]])). This sort of attack could not reveal any messages archived off the network due to Signal's forward secrecy. Let's compare the end result to an encrypted email client running on the same phone using traditional passphrase protection:
  
-=====Pre-Compromise=====+|                           ^ Signal    ^ Encrypted Email  ^ 
 +| Archived Network Messages | Protected | Protected        | 
 +| Messages Saved on Phone   | Revealed  | Protected        |
  
-This assumes that there is someone with enough foresight (and [[starttls|ability]]) to record your encrypted messages off the network or your email server. That message archive can be decrypted if they later gain access to your PGP private key. That archive would have been useless in the case of a forward secrecy supporting system as the decryption key(s) would of been destroyed.+So the encrypted email actually ends up providing a better result for the user. That is because it is possible to lock up the encryption key more securely in practice with an offline medium than it is with an online, always available, medium like instant messaging. It seems possible that people don't bother with forward secrecy for encrypted email because they perceive it to be secure enough already. Forward secrecy might not be worth the extra effort for that particular medium.
  
-This is the advantage of forward secrecy+In general the value of forward secrecy decreases as the protection of the secret key material increases. So it might be more important for situations like instant messaging where it is harder to protect the secret key material(([[em:emailvsim|Encrypted Email is More Secure than Encrypted Instant Messaging]]))It might be very important for situations where the same secret key material is used by many usersFor example it might be very worthwhile for an attacker to archive encrypted traffic from a messaging service used by millions of users protected by a single TLS private key if that service does not have forward secrecy.
- +
-=====Conclusions===== +
- +
-Forward secrecy removes the value of encrypted messages collected off the network before a compromise. It is fairly pointless if there are saved/archived messages. Forward secrecy increases protocol complexityThe cost of that complexity has to be weighed against the possibility of that particular attack. Forward secrecy is not really practical or desired for things like PGP protected emails or data at rest. +
- +
-I should point out here that the deletion of a PGP private key removes access to all archived messages, everywhere, instantly as there is no separate archiving systemThat is a benefit of the PGP encrypt once scheme. Key deletion is thus a PGP answer to forward secrecyModern PGP systems use separate signing and encryption keys by default so it would be reasonably easy to recover from such deletion. That is even if you did not have the foresight to use a dedicated key for the discussion that was to be forgottenYou would still retain all your identities. +
- +
-[[pgpfan:index|PGP FAN index]]+
  
 +[[pgpfan:index|PGP FAN index]]\\
 +[[em:index|Encrypted Messaging index]]
  
pgpfan/forward_secrecy.1592859502.txt.gz · Last modified: 2020/06/22 20:58 by b.walzer