The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools

pgpfan:forward_secrecy

This is an old revision of the document!

Forward Secrecy

The PGP protocol is sometimes criticized because it lacks a feature called forward secrecy. It goes something like this:

Some process is used to come up with a temporary key known only to you and your correspondent (e.g. Diffie–Hellman key exchange). That key is used to encrypt the message. After the message is transferred and decrypted that temporary key is destroyed. Since the key is gone the message is inaccessible. The goal is to permanently prevent access to your message after it has been transferred.

The first important point is that forward secrecy depends on the integrity of the encryption. If someone manages to break the encryption on your old messages they will still get access to them.

The second important point comes from the first. Since forward secrecy depends on the integrity of the encryption it will only be superior in the case where someone gets access to your private key information. For the end to end encryption case that will mean compromising an end device.

If someone compromises your end device then they have access to whatever you have access to. They can acquire any passwords or passphrases with a key logger. They can see what you see on the screen either at the character stream level or with screenshots. There are two important implications here:

  • They get access to any saved messages. For forward secrecy to work you must give up message archiving.
  • They get access to any transferred messages. Forward secrecy is of no value after a compromise.

Forward secrecy requires an end to end, bidirectional communications channel to establish a temporary key. So it is normally not usable with offline messaging. Adding an offline messaging capability to a system supporting forward secrecy involves creating an extra subsystem (e.g. the Signal protocol prekey system). A forward secrecy supporting system by necessity also requires a separate subsystem for message archiving. As a contrast, PGP is able to support offline messaging, online messaging and message archiving in the same simple straightforward way. So the cost of forward secrecy is either significant extra complexity or the lack of support for an important messaging mode.

In the case of something like encrypted email where archived messages almost always exist the benefit of forward secrecy is not worth the cost of the extra complexity. That is probably true for any end to end encrypted messaging application with an offline message delivery capability where messages are normally kept.

PGP FAN index

pgpfan/forward_secrecy.1594749107.txt.gz · Last modified: 2020/07/14 17:51 by b.walzer