Cryptography - Httqm's Docs

Definition

Forward Secrecy is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.
for HTTPS, the long-term secret is typically the private key of the server
Forward Secrecy protects past sessions against future compromises of keys or passwords
by generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key
- this by itself is not sufficient for Forward Secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys
if Forward Secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered, for example via a MiTM attack
Forward Secrecy protects past communication
- this reduces the motivation for attackers to compromise keys
- for instance, if an attacker learns a long-term key
  - but the compromise is detected
  - and the long-term key is revoked and updated
  relatively little information is leaked in a forward secure system
Forward Secrecy typically uses an ephemeral Diffie–Hellman key exchange to prevent reading past traffic.
- The ephemeral Diffie–Hellman key exchange is often signed by the server using a static signing key.
- If an adversary can steal (or obtain through a court order) this static (long term) signing key, the adversary can masquerade
  - as the server to the client
  - and as the client to the server
  and implement a classic man-in-the-middle attack.

The value of Forward Secrecy depends on the assumed capabilities of an adversary :

Forward Secrecy has value if an adversary
- is assumed to be able to obtain secret keys from a device (read access)
- but is either
  - detected
  - or unable to modify the way session keys are generated in the device (full compromise)
In some cases an adversary who can read long-term keys from a device may also be able to modify the functioning of the session key generator
- as in the backdoored Dual Elliptic Curve Deterministic Random Bit Generator.
- If an adversary can make the random number generator predictable, then
  - past traffic will be protected
  - but all future traffic will be compromised

The value of Forward Secrecy is limited :

not only by the assumption that an adversary will attack a server by
- only stealing keys
- and not modifying the random number generator used by the server
but it is also limited by the assumption that
- the adversary will only passively collect traffic on the communications link
- and not be active using a man-in-the-middle attack

Example (source) :

Here's an hypothetical example of a simple instant messaging protocol that employs Forward Secrecy :

Alice and Bob each generate a pair of long-term, asymmetric public and private keys
1. then verify public-key fingerprints in person or over an already-authenticated channel.
2. Verification establishes with confidence that the claimed owner of a public key is the actual owner.
Alice and Bob use a key exchange algorithm such as Diffie-Hellman, to securely agree on an ephemeral session key.
1. They use the keys from step 1 only to authenticate one another during this process.
Alice sends Bob a message, encrypting it with a symmetric cipher using the session key negotiated in step 2.
Bob decrypts Alice's message using the key negotiated in step 2.
The process repeats for each new message sent :
1. starting from step 2
2. and switching Alice and Bob's roles as sender/receiver as appropriate
3. step 1 is never repeated

Forward Secrecy :

is achieved by generating a new session key for each message

ensures that past communications cannot be decrypted if one of the keys generated in an iteration of step 2 is compromised, since such a key is only used to encrypt a single message

also ensures that past communications cannot be decrypted if the long-term private keys from step 1 are compromised

However, masquerading as Alice or Bob would be possible going forward if this occurred, possibly compromising all future messages.

if I get it right :
* the long-term secrets are used to authenticate each other ("//you are the one you pretend to be//") while negotiating the **session key** at step 2
* since a new session key is generated for each message :
	* if a session key is leaked, it can be used to disclose a single message only
	* no past nor future message can be read using this key
* if Alice's long-term private key from step 1 is compromised :
	* someone can masquerade as Alice (or eavesdrop) during step 2, which means :
		* this person has access to all future session keys
		* all future messages are compromised

A session key is a single-use symmetric key used for encrypting all messages in one communication session.

Primary reasons to use session keys :

several cryptanalytic attacks become easier the more material encrypted with a specific key is available
by limiting the amount of data processed using a particular key, those attacks are rendered harder to perform
asymmetric encryption is too slow for many purposes, and all secret key algorithms (aka symmetric algorithms) require that the key is securely distributed
by using an asymmetric algorithm to encrypt the secret key for another, faster, symmetric algorithm, it's possible to improve overall performance considerably

Like all cryptographic keys, session keys must be chosen so that they cannot be predicted by an attacker, usually requiring them to be chosen randomly. Failure to choose session keys (or any key) properly is a major (and too common in actual practice) design flaw in any crypto system.

AEAD

authenticated encryption with associated data
was mentioned here

authenticated encryption (AE)

encryption scheme which simultaneously assures the data confidentiality and authenticity
many (but not all) AE schemes allow the message to contain AD which is not made confidential, but its integrity is protected (i.e. it is readable, but tampering with it will be detected). Such schemes are known as AEAD.
example : GCM

authenticity / integrity

property that a message has not been modified while in transit and that the receiving party can verify the source of the message

block

fixed-length group of bits on which a block cipher operates

block cipher

cipher that operates on a block

CBC ciphers

expression referring to ciphers that perform encryption in CBC mode

cipher

algorithm used to encrypt / decrypt

cipher block chaining (CBC)

in this mode of operation, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

confidentiality / privacy

the encrypted message is impossible to understand without the knowledge of a secret key

counter mode

mode of operation that turns a block cipher into a stream cipher
this mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel

elliptic-curve cryptography (ECC)

is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields (aka Galois fields)
allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide equivalent security

forward secrecy (FS) aka perfect forward secrecy (PFS)

see the dedicated article

Galois/Counter Mode (GCM)

is a mode of operation for symmetric-key cryptographic block ciphers
is widely adopted for its performance
provides both confidentiality and authenticity (details) and belongs to the AEAD methods
combines the counter mode of encryption with the Galois mode of authentication (details)

Initialization Vector (IV)

input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique.

mode of operation

algorithm that describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block

nonce

an arbitrary number that can be used just once in a cryptographic communication
It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks (related : session key and Forward Secrecy).
They can also be useful as initialization vectors and in cryptographic hash functions.

public-key cryptography aka asymmetric cryptography

field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key.
related : Symmetric-key algorithm

session key

see the dedicated article

stream cipher

symmetric-key cipher where

plaintext digits are combined with a pseudorandom cipher digit stream (keystream)
each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream

The Vigenère cipher belongs to the stream ciphers family

symmetric-key algorithm

algorithm that uses the same key for both the encryption of plaintext and the decryption of ciphertext
related : Public-key cryptography aka asymmetric cryptography

Cryptography - My notes and links

Forward Secrecy (FS) aka Perfect Forward Secrecy (PFS)

Definition

The value of Forward Secrecy depends on the assumed capabilities of an adversary :

The value of Forward Secrecy is limited :

Example (source) :

Session Key

Primary reasons to use session keys :

Glossary of cryptography