8.20 Providing Forward Secrecy in a Symmetric System
8.20.1 Problem
When using a series of (session)
keys generated
from a master secret, as described in the previous recipe, we want to
limit the scope of a key compromise. That is, if a derived key is
stolen, or even if the master key is stolen, we would like to ensure
that no data encrypted by previous session keys can be read by
attackers as a result of the compromise. If our system has such a
property, it is said to have perfect forward
secrecy.
8.20.2 Solution
Use a separate base secret for each entity in the system. For any
given client, derive a new key called K1 from the base secret key, as
described in Recipe 4.11. Then, after you're sure
that communicating parties have correctly agreed upon a key, derive
another key from K1 in the exact same manner, calling it K2. Erase
the base secret (on both the client and the server), replacing it
with K1. Use K2 as the session key.
8.20.3 Discussion
In Recipe 4.11, we commented on how knowledge of a properly created
derived key would give no information about any parent keys. We can
take advantage of that fact to ensure that previous sessions are not
affected if throwing away the base secret somehow compromises the
current key, so that old session keys cannot be regenerated. The
security depends on the cryptographically strong one-way property of
the hash function used to generate the derived keys.
 |
Remember that when deriving keys, every key derivation needs to
include some kind of unique value that is never repeated (see Recipe
4.11 for a detailed discussion).
|
|
8.20.4 See Also
Recipe 4.11
 |
