===========来自网友===========

“前向安全性”应当是叫做“forward security”。该定义最早是由Mihir Bellare和Sara K. Miner在 CRYPTO’99上提出的关于数字签名的性质[1]。
而“perfect forward secrecy”则是由Christoph G. Günther在EUROCRYPT ’89提出的,其最初用于定义会话密钥交换协议的一种安全性[2]。

(Perfect)Forward secrecy的大致意思是:用来产生会话密钥(session key)的长期密钥(long-term key)泄露出去,不会造成之前通讯时使用的会话密钥(session key)的泄露,也就不会暴漏以前的通讯内容。简单的说,当你丢了这个long-term key之后,你以后的行为的安全性无法保证,但是你之前的行为是保证安全的。
之所以Perfect加上括号,是因为这个词蕴含了无条件安全的性质,大部分的forward secrecy方案是无法达到Perfect的。
而forward security的保证的是:敌手获取到了你当前的密钥,但是也无法成功伪造一个过去的签名。

简单的说,这两个概念是用在不同的环境中,但是其意图是一样的:保证密钥丢失之前的消息安全性或签名的不可伪造性。
一般而言,满足Forward secrecy或者forward security的公钥环境下的(签名、密钥交换或加密)方案,其公钥是固定的,而密钥则随着时间进行更新。这个更新过程是单向的,因此也就保证了拿到当前的密钥,是无法恢复出以前的密钥,从而保证了“前向安全”。

与之相对应的还有“后向安全( backward secrecy或security)”的概念,不过这个概念研究的比较少,题主有兴趣可以自行查找该概念。

参考文献:
[1] Bellare, Mihir, and Sara K. Miner. "A forward-secure digital signature scheme." Advances in Cryptology—Crypto’99. Springer Berlin Heidelberg, 1999.
[2] Günther, Christoph G. "An identity-based key-exchange protocol." Advances in Cryptology—Eurocrypt’89. Springer Berlin Heidelberg, 1989.

===========维基百科===========

中文翻译在这里http://blog.csdn.net/gufachongyang02/article/details/53392842

Forward secrecy

From Wikipedia, the free encyclopedia
 
 

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of secret keys or passwords. If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.

History[edit]

The term "perfect forward secrecy" was coined by C. G. Günther in 1990 and further discussed by Whitfield DiffiePaul van Oorschot, and Michael James Wiener in 1992[1] where it was used to describe a property of the Station-to-Station protocol.[2]

Forward secrecy has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.[3]

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes (for two-party forward secrecy properties compare below 2WIPFS: "2-Way-Instant-Perfect-Forward-Secrecy").

Forward secrecy[edit]

A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm. This means that the compromise of one message cannot compromise others as well, and there is no one secret value whose acquisition would compromise multiple messages. This is not to be confused with the perfect secrecy demonstrated by one-time pads: when it is used properly, the one-time pad involves multiple parties agreeing on a set of disposable keys by communicating it fully in private—without a formalized key agreement system—and then using each key for one message only.

Attacks[edit]

Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves. A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.

Weak perfect forward secrecy[edit]

Weak perfect forward secrecy (wPFS) is the weaker property whereby when agents' long-term keys are compromised, the secrecy of previously established session-keys is guaranteed, but only for sessions in which the adversary did not actively interfere. This new notion, and the distinction between this and forward secrecy was introduced by Hugo Krawczyk in 2005.[4][5] This weaker definition implicitly requires that full (perfect) forward secrecy maintains the secrecy of previously established session keys even in sessions where the adversary did actively interfere, or attempted to act as a man in the middle.

Protocols[edit]

This section relies too much on references to primary sources. Please improve this section by adding secondary or tertiary sources(December 2015) (Learn how and when to remove this template message)

Forward secrecy is present in several major protocol implementations, such as SSH and as an optional feature in IPsec (RFC 2412). Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, provides forward secrecy as well as deniable encryption.

In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSA) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available. In theory, TLS can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer forward secrecy or only provide it with very low encryption grade.[6]

OpenSSL supports forward secrecy using elliptic curve Diffie–Hellman since version 1.0,[7] with a computational overhead of approximately 15%.[8]

The Signal Protocol uses the Double Ratchet Algorithm to provide forward secrecy.[9] The protocol was developed by Open Whisper Systems in 2013[10] and was first introduced in theSignal app in February 2014.[11] It has since been implemented into WhatsAppFacebook Messenger, and Google Allo, encrypting the conversations of "more than a billion people worldwide".[12]

On the other hand, among popular protocols currently in use, WPA doesn't support forward secrecy.

Use[edit]

Forward secrecy is seen as an important security feature by several large Internet information providers. Since late 2011, Google provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services.[7] Since November 2013, Twitter provided forward secrecy with TLS to its users.[13] Wikis hosted by theWikimedia Foundation have all provided forward secrecy to users since July 2014.[14]

Facebook reported as part of an investigation into email encryption that, as of May 2014, 74% of hosts that support STARTTLS also provide Forward Secrecy.[15] As of June 2016, 51.9% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to modern web browsers.[16]

At WWDC 2016, Apple announced that all iOS apps would need to use "ATS" (App Transport Security), a feature which enforces the use of HTTPS transmission. Specifically, ATS requires the use of an encryption cipher that provides forward secrecy.[17] ATS became mandatory for apps on Jan 1st, 2017.[18]

See also[edit]

References[edit]

  1. Menzies, Alfred; van Oorscot, Paul C.; Vanstone, SCOTT (1997). Handbook of Applied Cryptography. CRC Pres.ISBN 0-8493-8523-7.
  2. Diffie, Whitfield; van Oorschot, Paul C.; Wiener, Michael J. (June 1992). "Authentication and Authenticated Key Exchanges" (PDF). Designs, Codes and Cryptography2(2): 107–125. doi:10.1007/BF00124891. Retrieved2013-09-07.
  3. Jablon, David P. (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM Computer Communication Review26 (5): 5–26.CiteSeerX 10.1.1.81.2594.doi:10.1145/242896.242897.
  4. Krawczyk, Hugo (2005). HMQV: A High-Performance Secure Diffie-Hellman Protocol. Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. 3621. pp. 546–566. ISBN 978-3-540-28114-6.doi:10.1007/11535218_33.
  5. Cremers, Cas; Feltz, Michèle (2015). "Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal" (PDF). Designs, Codes and Cryptography. Springer US. 74 (1): 183–218.doi:10.1007/s10623-013-9852-1. Retrieved 8 December2015.
  6. Discussion on the TLS mailing list in October 2007
  7. a b "Protecting data for the long term with forward secrecy". Retrieved 2012-11-05.
  8. Vincent Bernat. "SSL/TLS & Perfect Forward Secrecy". Retrieved 2012-11-05.
  9. Unger, Nik; Dechand, Sergej; Bonneau, Joseph; Fahl, Sascha; Perl, Henning; Goldberg, Ian; Smith, Matthew (17–21 May 2015). "SoK: Secure Messaging" (PDF). 2015 IEEE Symposium on Security and Privacy. San Jose, CA: Institute of Electrical and Electronics Engineers: 241.doi:10.1109/SP.2015.22. Retrieved 4 December 2015.
  10. Ermoshina, Ksenia; Musiani, Francesca; Halpin, Harry (September 2016). "End-to-End Encrypted Messaging Protocols: An Overview". In Bagnoli, Franco; et al.Internet Science. INSCI 2016. Florence, Italy: Springer. pp. 244–254. ISBN 978-3-319-45982-0doi:10.1007/978-3-319-45982-0_22.
  11. Donohue, Brian (24 February 2014). "TextSecure Sheds SMS in Latest Version"Threatpost. Retrieved 14 July2016.
  12. "Moxie Marlinspike - 40 under 40"Fortune. Time Inc. 2016. Retrieved 22 September 2016.
  13. Hoffman-Andrews, Jacob. "Forward Secrecy at Twitter".Twitter. Twitter. Retrieved 25 November 2013.
  14. "Tech/News/2014/27 - Meta"Wikimedia Foundation. 2014-06-30. Retrieved 30 June 2014.
  15. "The Current State of SMTP STARTTLS Deployment". Retrieved 7 June 2014.
  16. As of June 2, 2016. "SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites". Retrieved 2016-06-17.
  17. https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14
  18. "App Transport Security REQUIRED January 2017 | Apple Developer Forums"forums.developer.apple.com. Retrieved 2016-10-20.

External links[edit]

[hide]

Protocols and technologies
Public-key infrastructure
See also
History
Implementations
Notaries
Vulnerabilities
 
Theory
Cipher
Protocol
Implementation

完美前向保密PFS的更多相关文章

  1. SSL/TLS 协议运行机制概述(二)

    SSL/TLS 协议运行机制概述(二) 在SSL/TLS 协议运行机制概述(一)中介绍了TLS 1.2 的运行机制,现在我们来看年 TLS 1.3 的运行机制.会涉及到SSL/TLS 协议运行机制概述 ...

  2. 【OWASP TOP10】2021年常见web安全漏洞TOP10排行

    [2021]常见web安全漏洞TOP10排行 应用程序安全风险 攻击者可以通过应用程序中许多的不同的路径方式去危害企业业务.每种路径方法都代表了一种风险,这些风险都值得关注. 什么是 OWASP TO ...

  3. 写给开发人员的实用密码学(三)—— MAC 与密钥派生函数 KDF

    目录 一.MAC 消息认证码 MAC 与哈希函数.数字签名的区别 MAC 的应用 1. 验证消息的真实性.完整性 2. AE 认证加密 - Authenticated encryption 3. 基于 ...

  4. 写给开发人员的实用密码学(七)—— 非对称密钥加密算法 RSA/ECC

    本文部分内容翻译自 Practical-Cryptography-for-Developers-Book,笔者补充了密码学历史以及 openssl 命令示例,并重写了 RSA/ECC 算法原理.代码示 ...

  5. 配置HTTPS加密的快速参考指南

    Nginx ssl_protocols TLSv1 TLSv1.1 TLSv1.2 阿帕奇 SSLProtocol All -SSLv2 -SSLv3 密码套房 选择密码套件可能很困难,它们的名称可能 ...

  6. 以太坊RLPx传输协议

    本文主要内容翻译自:The RLPx Transport Protocol,其中添加了一些个人的理解,由于密码学水平有限,不正确之处望指正.另外原文可能已经更新,最新内容请直接阅读原文. 本文档定义了 ...

  7. 读书笔记_python网络编程3(6)

    6.TLS/SSL 6.0. 传输层安全协议(TLS, Transport Layer Security)是如今web上应用最广泛的加密方法了,1999年成为互联网标准.前身是安全套接层(SSL, S ...

  8. AWS 数据传输加速(八)

    AWS CloudFront 概述 一个CDN服务,加快网页和其它下载全球分布式网络缓存服务器 CloudFront通过全球性的边缘站点将内容缓存到世界各地实现CDN 在更邻近的位置提供更低的延迟,更 ...

  9. SSL/TLS 协议运行机制概述(一)

    SSL/TLS 协议运行机制概述(一) SSL/TLS 发展史 1994年,NetScape 设计了SSL协议(Secure Sockets Layer) 1.0,未正式发布 1995年,NetSca ...

随机推荐

  1. 【python】-- IO多路复用(select、poll、epoll)介绍及实现

    IO多路复用(select.poll.epoll)介绍及select.epoll的实现 IO多路复用中包括 select.pool.epoll,这些都属于同步,还不属于异步 一.IO多路复用介绍 1. ...

  2. 【题解】POJ2279 Mr.Young′s Picture Permutations dp

    [题解]POJ2279 Mr.Young′s Picture Permutations dp 钦定从小往大放,然后直接dp. \(dp(t1,t2,t3,t4,t5)\)代表每一行多少人,判断边界就能 ...

  3. 聊聊数据库~6.SQL运维中篇

    上篇回顾:https://www.cnblogs.com/dotnetcrazy/p/10810798.html#top 1.6.5.MySQL日志相关 本文的测试环境:MySQL5.7.26.Mar ...

  4. Windows下重置MySQL密码(最开始是因为Access denied for user 'root'@'localhost'这个原因,无法登陆 'root'@'localhost')

    本人使用的MySQL5.5,其他版本未测试过. 方法一: 更改密码: mysql -u root -p Enter password:*** mysql>use mysql; 选择数据库 Dat ...

  5. xutils3文件上传、下载、get、post请求

    @ContentView(R.layout.activity_xutils3_net) public class XUtils3NetActivity extends Activity { @View ...

  6. HDU - 1176 免费馅饼 【DP】

    题目链接 http://acm.hdu.edu.cn/showproblem.php?pid=1176 思路 因为刚开始的起点是固定的 但是终点不是固定的 所以我们可以从终点往起点推 dp[i][j] ...

  7. c的详细学习(11)文件

    为了提高数据输入/输出的处理效率,可以将程序运行时所需要的原始数据从文件中读取,并将程序运行的结果写入到文件中.     (1)文件概述     1)基本概念 文件是指存储在外部介质上数据的集合,可以 ...

  8. spring boot项目使用swagger-codegen生成服务间调用的jar包

    swagger-codegen的github:https://github.com/swagger-api/swagger-codegen 需要的环境:jdk > 1.7   maven > ...

  9. [原创]java WEB学习笔记15:域对象的属性操作(pageContext,request,session,application) 及 请求的重定向和转发

    本博客为原创:综合 尚硅谷(http://www.atguigu.com)的系统教程(深表感谢)和 网络上的现有资源(博客,文档,图书等),资源的出处我会标明 本博客的目的:①总结自己的学习过程,相当 ...

  10. python有哪些关键字?让他自己“吐”出来!

    通过调用库来输出!for循环控制! 源代码: import keyword c = 0 for i in keyword.kwlist: print(i) c += 1 代码截图: 哈哈,关键字: F ...