Saturday, September 21, 2019

前向保密 (Forward Secrecy) 與後向保密 (Backward Secrecy)

Having said that there are many online resources discussing these two terminologies, it's actually quite easily mixed up - even for me. I was able to understand this topic a few weeks ago but turns out I forgot and mixed them up again.

According to [1], the story of Forward Secrecy and Backward Secrecy should be:
In short, because Gunther believes the session key exposure will happen in the future, so he used the word "forward" to indicate the current session key is not compromised by the "future" key leaks.

To simplify:
  • Forward Secrecy: If the current session key is exposed, previous session messages are still safe.(即使現時的 session key 曝光,舊 sessions 的資料仍然安全)
  • Backward Secrecy: If the current session key is exposed, the next session messages are still safe.(即使現時的 session key 曝光,下一個 session 的資料仍然安全)
Another graphical explanation from [2]:

In order to reduce confusion, the author tends to use new definitions "past/future secrecy":
  • Forward Secrecy  = Past Secrecy, the word past means to protect past data.
  • Backward Secrecy = Future Secrecy, the word future means to protect future data.

The next question would be, what algorithm can offer forward secrecy?

Hash Rachet is a very simple algorithm offering forward secrecy only:
Using the hashed current session key to encrypt the next session, even if the eavesdropper can decrypt the next session message and the session key, he cannot easily find back the last session keys because unhashing the session key results in many possible key (FYI: hash function is many-to-one).

Obviously, having forward secrecy is not enough, so Diffie-Hellman Ephemeral (DHE) is the way to offer both forward and backward secrecy.

Rules of DHE:
  • Create a new shared common key in every session (ephemeral = short period of time)
  • Use Diffie-Hellman to share the common key
  • Every session is encrypted with a new common key unrelated to the previous session.
  • Even if the current session key is exposed, since the next key is irrelevant to current key, it is hard to find unless the eavesdropper cracks the Diffie-Hellman.

Some protocols such as Signal has a combined use of both two methodologies above.
Largely because:

  • DHE involves computational complexity, so the key update will not be so frequent. In this case, in order to protect the previous communication, Hash Rachet should still be used.
  • To provide extra security - even if DHE is broken, previous messages should still be protected by Hash Rachet.


[1]: Wang, M. & Yan, Z. Mobile Netw Appl (2017) 22: 195.