Anonymous asks:
> I have recently been reading about password-based authentication schemes, > especially EKE and its variants. The papers I've read on EKE, DH-EKE, and > SPEKE all refer to their "perfect forward security," though I have been > unable to find a formal definition of this property, or any detailed > explanation of what this really means. Does the "forward security" refer > to the fact that if Eve knows a "K" Alice and Bob used two weeks ago, she > cannot assume either of their identities for a current transaction? Or > does it mean that even if Eve knows the current "K" in use by Alice and > Bob's session, she cannot impersonate either of them? Or does it mean > something else? > > Can someone better explain how the "forward security" found in > EKE/DH-EKE/SPEKE works? Is it the same for each EKE variant, or does it > work differently for each? When a definition was sought in May 2000 it drew the reply: From: Jerome Etienne <jetienne arobas.net> > On Thu, May 04, 2000 at 09:40:14AM -0400, Arnold G. Reinhold wrote: > > Can anyone point me to a good definition of "Perfect Forward Security"? > In rfc2408 section 1.6.1 about ike, you can find one for perfect forward > secrecy. Up to you to decide how relevant and good it is. > " Perfect Forward Secrecy: As described in [DOW92], an authenticated > key exchange protocol provides perfect forward secrecy if disclosure > of longterm secret keying material does not compromise the secrecy of > the exchanged keys from previous communications. The property of > perfect forward secrecy does not apply to key exchange without > authentication." > [DOW92] Diffie, W., M.Wiener, P. Van Oorschot, Authentication and > Authenticated Key Exchanges, Designs, Codes, and > Cryptography, 2, 107-125, Kluwer Academic Publishers, > 1992. Destroying Diffie-Hellman key parameters gets you computational secrecy; not information-theoretic secrecy. An expired ID I have stored "Using the SRP protocol as a key exchange method in Secure Shell" makes no mention of PFS. -- ############################################################## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ############################################################## --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
