As further precedent, [JV96] provides a definition and rationale for FS in preference to PFS:
"A key agreement protocol provides *forward secrecy* (perfect forward secrecy in [7] and [9]) if the loss of any long-term secret keying material does not allow the compromise of keys from previously wire-tapped sessions. Since *perfect* usually makes reference to information theory, we avoid it here." [JV96] M. Just and S. Vaudenay, "Authenticated multi-partykey agreement, " in Advances in Cryptology -- EUROCRYPT '96, U. Maurer, Ed. 1996, number 1070 in Lecture Notes in Computer Science, Springer-Verlag, Berlin Germany. [7] = [DOW92], [9] = [Gun90] Using this definition for a password-authenticated KAP, the password is considered "long-term secret keying material". At 10:03 AM 11/19/01 -0500, David Jablon wrote: >[Std1363] defines "forward secrecy" as the property that: > > "... prevents a passive opponent who merely recorded past communications > encrypted with the shared secret keys from decrypting them some time in > the future by compromising the parties� cryptographic state." > >To support its definition of "two party forward secrecy", [Std1363] cites [Gun90] >and [DOW92], the latter of which used (or introduced?) the modifier "perfect". > >Anonymous asks: >> Can someone better explain how the "forward security" found in >> EKE/DH-EKE/SPEKE works? > >In the context of password-based key agreement schemes, the term "perfect >forward secrecy" was used in [Jab96] to refer to the integrity of prior recorded >communications in the face of a disclosure of the password. This fits (at least) >the Std1363 definition, as the password is part of the parties' cryptographic >state. > >Anonymous asks: >> Is it the same for each EKE variant, or does it >> work differently for each? > >The same basic [perfect] foward secrecy property is provided in each of >these schemes, as well as several others. > > >At 08:10 PM 11/18/01 -0800, Paul Krumviede wrote: >>--On Sunday, 18 November, 2001 12:30 -0800 AARG!Anonymous <[EMAIL PROTECTED]> wrote: >> >>>Hi All, >>> >>>I have recently been reading about password-based authentication schemes, >>>especially EKE and its variants. The papers I've read on EKE, DH-EKE, >>>and SPEKE all refer to their "perfect forward security," though I have >>>been unable to find a formal definition of this property, or any >>>detailed explanation of what this really means. >> >>rfc 2828 has a discussion of this, but mentions that "this is to be a muddled >>area." > >Unfortunately, RFC2828 itself may be seen as good source of the muddle >regarding the term, in it's yet-another-definition of "public-key forward secrecy". > > >References > >[DOW92] W. Diffie, P. C. van Oorschot and M. J. Wiener, "Authentication and >authenticated key exchanges," Designs, Codes and Cryptography 2 (1992), pp. 107-125. > >[Gun90] C. G. Gunther, "An identity-based key-exchange protocol," J.-J. Quisquater >and J. Vandewalle, editors, Advances in Cryptology - EUROCRYPT '89, Lecture Notes in >Computer Science 434 (1990), Springer-Verlag, pp. 29-37. > >[Jab96] D. Jablon, "Strong Password-Only Authenticated Key Exchange", Computer >Communication Review, ACM SIGCOMM, vol. 26, no. 5, pp. 5-26, October 1996. > >[Std1363] IEEE Std 1363-2000, Standard Specifications for Public Key Cryptography, >IEEE, August 2000, buried in annex D.5.1.7. > > > > > >--------------------------------------------------------------------- >The Cryptography Mailing List >Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
