[messaging] Naming and classifying a security property

Trevor Perrin trevp at trevp.net
Mon Sep 14 13:44:45 PDT 2015


On Sun, Sep 13, 2015 at 8:50 AM, Ximin Luo <infinity0 at pwned.gg> wrote:
> While I was doing an exercise on classifying and enumerating security properties, I came up with the following one:
>
> - (in: w encrypts m to r) if attacker "a" passively compromises w, they are able/unable to decrypt current (in-transit) and/or future ciphertext (i.e. "act as r")
>
> This is the encryption analog of KCI ("key compromise impersonation") which applies to authentication

Or is it the future analog of PFS, applied to post-compromise data
instead of pre-compromise?

Most people think of PFS as applying to (pre-compromise encrypted
data, confidentiality) and KCI applying to (post-compromise sessions,
authentication), but the (post-compromise encrypted data,
confidentiality) case sometimes gets included under "forward security"
and sometimes doesn't.


> Note that the former is not exactly the same as forward secrecy, which is modelled as a passive compromise on the *decryptor's* side

There's no consistent definition for "forward secrecy" or "forward
security" (and "perfect" in this context has always been meaningless).

If you're talking about "forward-secure public-key encryption", then
you're correct that it only applies to the recipient's private key,
but that's because only the recipient *has* a private key.

In mutually-authenticated key agreement, forward security or secrecy
generally refers to both parties' long-term keys.

In one-pass key agreements, works like Gorantla and Halevi/Krawczyk
have used "sender forward secrecy" or "sender's forward secrecy" to
distinguish sender from recipient compromise:

https://eprint.iacr.org/2009/436
https://eprint.iacr.org/2010/638


Stepping back: the terminology is sort of a mess here, and if you want
to speak about complex case with precision, you probably just need to
spell out exactly what compromises you're considering and their
consequences:
 - compromise of key A enables attack B but not C
 - compromise of key D enables attack E but not F
 etc...

Trevor


More information about the Messaging mailing list