I am new to cryptography and am going through the book Understanding Cryptograph

Question

I am new to cryptography and am going through the book Understanding Cryptography by Paar and Pelzl.

From what I understand Symmetric key distribution systems like Kerberos do not provide PFS because an attacker will be able to decrypt every session key ever encrypted with a compromised KEK.

In the book, on page 342, they say that Asymmetric ciphers like Diffie-Hellman or RSA, when used for key distribution, will provide FPS. I understand that Diffie-Hellman will provide PFS because each session key will have nothing to do with any other session key. However I've been stumped for a few days now trying to figure out how RSA will provide PFS. Am I missing something or just misunderstanding what they wrote?

Explanation / Answer

Forward Secrecy (that is, maintaining confidentiality of messages enciphered before compromise of the long term key) can be achieved in a protocol using a public-key signature scheme with a long-term public key, and a public-key encryption scheme with a per-session key; but in the case of RSA signature and encryption, that's inefficient, thus unusual.

As an example: Bob has a long-term RSA key pair (MpubB,MprivB) used for signature, with MpubB trusted by Alice (perhaps by way of some certificate). In order for Alice to send a confidential message to Bob:

+ Alice
draws a 256-bit random R
sends R to Bob
+ Bob
generates a new RSA key pair (TpubB,TprivB) used for encryption,
RSA-signs the (hash of the) message R?TpubB using MprivB giving signature S
sends TpubB?S to Alice
+ Alice
gets TpubB and S
verifies that S is a valid signature with respect to MprivB for R?TpubB, where R is from the recent first step
generates a random symmetric session key K
RSA-enciphers K using TpubB yielding X
enciphers the plaintext message M using key K by a symmetric algorithm (say, AES-CTR will implicit zero IV) yielding ciphertext C
forgets K
sends X?C to Bob
+ Bob
gets X and C
RSA-deciphers X using TprivB yielding K
forgets TprivB
deciphers ciphertext C with key K yielding plaintext message M
forgets K.

K allows M to be large, when RSA encryption only directly allows short messages. R protects against replay of an earlier TpubB.

The scheme is inefficient because generation of a new RSA key pair is relatively expensive (and normally rare, thus not optimized for speed). That's a good reason why (EC)DH is most used in practice.

It is possible to send several messages using the same K, or/and reuse (TpubB,TprivB) across multiple sessions, improving performance. But Forward Secrecy triggers only when K and TprivB are forgotten, and R is not longer accepted.

Note: the scheme provides confidentiality, but not integrity or proof of origin; that can be added.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.