Forward secrecy

In an authenticated key agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that disclosure of the long-term secret keying material that is used to derive an agreed ephemeral key does not compromise the secrecy of agreed keys from earlier runs.

PFS is also known as forward secrecy (3), since the term perfect has been controversial in this context.

PFS has also been defined (4) to encompass the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-lived keying material in a subsequent run are compromised.

History

PFS was originally introduced (1) by Diffie, van Oorschot, and Wiener and used to describe a property of the Station-to-Station protocol, where the long-term secrets are private keys. It is a property that requires the use of public key cryptography; Purely symmetric cryptographic systems do not have PFS.

PFS has also been used (2) to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.

References

1. W. Diffie, P.C. van Oorschot & M. Wiener. Authentication and Authenticated Key Exchanges. Designs Codes and Cryptography, 2, 107-125, 1992.

2. D. Jablon. Strong Password-Only Authenticated Key Exchange. Computer Communication Review, ACM SIGCOMM, vol. 26, no. 5, pp. 5-26, October 1996.

3. IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://standards.ieee.org

4. Telecom Glossary 2000, T1 523-2001, Alliance of Telecommunications Industry Solutions (ATIS) Committee T1A1. http://www.atis.org/tg2k/_perfect_forward_secrecy.html