[messaging] Naming and classifying a security property
trevp at trevp.net
Mon Sep 14 13:44:45 PDT 2015
On Sun, Sep 13, 2015 at 8:50 AM, Ximin Luo <infinity0 at pwned.gg> wrote:
> While I was doing an exercise on classifying and enumerating security properties, I came up with the following one:
> - (in: w encrypts m to r) if attacker "a" passively compromises w, they are able/unable to decrypt current (in-transit) and/or future ciphertext (i.e. "act as r")
> This is the encryption analog of KCI ("key compromise impersonation") which applies to authentication
Or is it the future analog of PFS, applied to post-compromise data
instead of pre-compromise?
Most people think of PFS as applying to (pre-compromise encrypted
data, confidentiality) and KCI applying to (post-compromise sessions,
authentication), but the (post-compromise encrypted data,
confidentiality) case sometimes gets included under "forward security"
and sometimes doesn't.
> Note that the former is not exactly the same as forward secrecy, which is modelled as a passive compromise on the *decryptor's* side
There's no consistent definition for "forward secrecy" or "forward
security" (and "perfect" in this context has always been meaningless).
If you're talking about "forward-secure public-key encryption", then
you're correct that it only applies to the recipient's private key,
but that's because only the recipient *has* a private key.
In mutually-authenticated key agreement, forward security or secrecy
generally refers to both parties' long-term keys.
In one-pass key agreements, works like Gorantla and Halevi/Krawczyk
have used "sender forward secrecy" or "sender's forward secrecy" to
distinguish sender from recipient compromise:
Stepping back: the terminology is sort of a mess here, and if you want
to speak about complex case with precision, you probably just need to
spell out exactly what compromises you're considering and their
- compromise of key A enables attack B but not C
- compromise of key D enables attack E but not F
More information about the Messaging