Hacker Lexicon: What Is Perfect Forward Secrecy?

Posted on Posted in Hacker Lexicon, Hacker News

ENCRYPTION KEEPS YOUR secrets, until it doesn’t. When you use an encryption tool like the venerable software PGP, for instance, your most sensitive communications are only as secure as a single, secret piece of data known as a private key. If that key gets stolen, it’s not just all your future messages that have been compromised. An eavesdropper could crack all your past encrypted correspondence with that stolen key as well.

To solve that problem of future security mistakes threatening past secrets, cryptographers have come up with a security feature called “perfect forward secrecy.” Last week, the developers behind the Signal protocol, which end-to-end encrypts everything from WhatsApp messages to Google’s Allo messenger to Facebook’s “secret conversations,” published a new, detailed explanation of how the protocol works, including its own implementation of perfect forward secrecy. And that future-proofing feature represents a new standard for any messaging service or website that takes your privacy seriously.

Moving Targets

Perfect forward secrecy means that a piece of an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised, it exposes only a small portion of the user’s sensitive data. Encryption tools with perfect forward secrecy switch their keys as frequently as every message in text-based conversation, every phone call in the case of encrypted calling apps, or every time a user loads or reloads an encrypted web page in his or her browser.

“You’re constantly generating new keys for new messages,” says Nadim Kobeissi, the creator of Cryptocat, one instant messaging app that was early adopter of perfect forward secrecy. That means if a user’s device is stolen or hacked and eavesdroppers steal a decryption key, it doesn’t matter. “The latest message gets compromised, but any message prior to that message or after it can’t be decrypted,” Kobeissi says.

While schemes for perfect forward secrecy date back to the early ’90s, the feature was first practically implemented in Off-The-Record Messaging, a protocol for encrypted instant messaging invented in 2004 that encrypted messages with a new key every time a sender alternated in an instant messaging conversation. In that system, multiple messages sent back-to-back by the same sender still used the same key.

The newer messaging protocol Signal, invented by cryptographers Moxie Marlinspike and Trevor Perrin in 2013, has both improved that key-switching trick and popularized perfect forward secrecy more than ever. Using a system it calls a “double ratchet,” Signal generates a new encryption key with every message, even those sent consecutively by the same person. (See our flow chart of how Signal’s encryption protocol works here.) For perfect forward secrecy to offer its intended protection in messaging apps, the user needs to periodically delete their decrypted messages or move them to a more secure device. Signal recently added a feature to allow self-destructing messages, which takes care of that for you.

More Than Messages

But while practically every modern encrypted messaging app uses perfect forward secrecy, its integration into web encryption has been far spottier. Every modern browser is capable of initiating perfect forward secrecy with a compatible HTTPS-encrypted site. But for now, not every HTTPS site is capable of playing along with that key-switching game. Amazon, Etsy, and most popular e-commerce sites, for instance, are equipped to use modes of encryption that include perfect forward secrecy. But other sites, including even financial websites like Fidelity.com and Chase.com, don’t use the feature in every case, according to results of a testing tool provided online by the SSL-focused security firm Qualys. You can use Qualys’s tool to check any HTTPS site for perfect forward secrecy here.

The threat of hackers who collect and record encrypted messages or web traffic over time and then decrypt that data later is more than theoretical paranoia. That kind of so-called “upstream” collection is common practice for intelligence agencies like the NSA, which has both tapped undersea cables and partnered with telecom firms to grab data en masse as it flows across the internet. In authoritarian countries that have tighter, more repressive surveillance of the internet, the need for perfect forward secrecy is even greater. “For countries that have both a national internet service provider and a repressive regime, this sort of interception isn’t just possible, it’s trivial,” says Parker Higgins, an activist with the Electronic Frontier Foundation.

All of which means it’s important to consider not just whether your communications are encrypted, but how: When your device is stolen, hacked, or seized, you may be glad you didn’t trust years worth of your collected secrets to a single, not-so-secret key.

Quelle: Wired