The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


pgpfan:forward_secrecy

This is an old revision of the document!


Forward Secrecy

The PGP protocol is sometimes criticized because it lacks a feature called forward secrecy. Some process is used to come up with a temporary key known only to you and your correspondent (e.g. Diffie–Hellman key exchange). That key is used to encrypt the message. After the message is transferred and decrypted that temporary key is destroyed.

Forward secrecy requires an end to end, bidirectional communications channel to establish a temporary key. So it is normally not usable with offline messaging. Adding an offline messaging capability to a system supporting forward secrecy involves creating an extra subsystem (e.g. the Signal protocol prekey system). PGP is able to support both offline and online messaging in the same simple straightforward way. So the cost of forward secrecy is either significant extra complexity or the lack of support for an important messaging mode. The next three subsections break out the potential benefit of forward secrecy after some sort of loss of system secrecy.

Message Archives

If someone gains access to one of your private PGP encryption keys then they can decrypt all the archived email that was originally sent to the associated identity. A system with forward secrecy requires a separate system to save and encrypt archived messages. That system can't be made any more secure than a system for protecting a PGP private key. If a better system was invented then you could use it to protect your PGP keys.

There is no practical security difference between PGP and a system providing forward secrecy for the case of message archives.

Post-Compromise

If someone gains access to one of your private PGP encryption keys then they can then decrypt any intercepted email sent to the associated identity. If someone gains access to a private key associated with an identity used in a forward secrecy system then they only gain the ability to impersonate you. They still don't have access to shared keys you might negotiate with your correspondents so they can't decrypt passively intercepted messages.

This only works for the case where the access is only a copy of your private key. If your opponent gets write access to your device they can probably leverage that into access to your messages going forward. Gaining access to a pass-phrase protected PGP private key requires at least enough access to install a key-logger (or equivalent) which implies write access. The ability to impersonate you would normally give them at least partial access to your discussions.

A system providing forward secrecy has a theoretical advantage in this case, but in practice the advantage would likely be minimal.

Pre-Compromise

This assumes that there is someone with enough foresight (and ability) to record your encrypted messages off the network or your email server. That message archive can be decrypted if they later gain access to your PGP private key. That archive would have been useless in the case of a forward secrecy supporting system as the decryption key(s) would of been destroyed.

This is the advantage of forward secrecy.

Conclusions

Forward secrecy:

  • provides no real protection after a compromise.
  • provides no protection of archives.
  • is rendered pointless for messages that are archived.

The addition of forward secrecy to a protocol increases the complexity of that protocol. In the case of something like encrypted email where archived messages almost always exist it wouldn't be worth the cost even if it could somehow be provided. That is probably true for any end to end encrypted messaging application with an offline message delivery capability. Adding in the issue with message archives we can reasonably conclude that forward secrecy is not generally something one would want in a messaging system.

PGP FAN index

pgpfan/forward_secrecy.1593960436.txt.gz · Last modified: 2020/07/05 14:47 by b.walzer