[OTR-users] Perfect Forward Secrecy
Ian Goldberg
ian at cypherpunks.ca
Mon Mar 28 14:20:08 EST 2005
[It's "perfect forward secrecy", not "p.f. security".]
On Mon, Mar 28, 2005 at 01:59:41PM -0500, Jason Cohen wrote:
> Quoting:
>
> The keysize of the DH only has to be large enough that you're
> comfortable with the adversary having to break a DH key agreement *per
> message*, since (approximately) each message you send is encrypted
> with a new key, derived from a fresh DH key agreement.
>
> If an adversary steals your private key and can break one message,
> don't they have all the needed information to decrypt the next
> message? They have the key used to encrypt the next message as well as
> the private "x" value. I'm probably just confused. I would appreciate
> it if someone could clarify this for me.
No; if you break DH to find the private key associated with the public
key used to encrypt message number 1, that doesn't give you the private
key associated with the public key used to encrypt message number 2.
Each message (approximately) uses a brand-new DH private/public key
pair. You have to break DH all over again to get that second private
key, and so on. Knowing the DSA private key also has no effect on this
result.
I'm not sure that was clear enough. Let me know if there's something
you still don't understand.
- Ian
More information about the OTR-users
mailing list