Every time I encounter the concepts of PFS (perfect forward secrecy) and wPFS (w

Question

Every time I encounter the concepts of PFS (perfect forward secrecy) and wPFS (weak perfect forward secrecy), I feel uncertain about them.

My understanding is that:

PFS ensures that, if the parties' long-term keys have compromised in the future by an active adversary, he cannot calculate the session key.

wPFS ensures that, if a passive adversary has learned the private keys of both peers to the session, and if the session is "clean", he still cannot recover the session key.

I'm not sure whether my understanding is right or not. And I don't know the if these are the correct definitions of PFS and wPFS.

Can you help me understand PFS and wPFS?

Explanation / Answer

The difference between weak and strong perfect forward secrecy lies in the capabilities of the attacker. Perfect forward secrecy is strong if it remains secure in the face of an active attacker, while weak perfect forward secrecy's security claim only covers passive attackers.

If I'm not mistaken weak perfect forward secrecy (wPFS) is a term introduced to claim perfect forward security for a 2-message protocol, disregarding MITM attacks.

A quick Google search revealed that this term was probably coined by Hugo Krawczyk in his 2005 paper HMQV: A High-Performance Secure Di?e-Hellman Protocol.

I don't know how commonly understood this term is however, so if you're intending to use it for a paper make sure to explain it.

Related Questions

Navigate

• Browse (All)
• Browse E
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.