21 Forward Secrecy

A protocol has Forward Secrecy if it keeps the message secret from an attacker who has :

• A recording of the protocol run.
• The long-term keys of the principals.

Question

Why does this matter ?

Protection against :

• Governments that can force people to give up their keys.
• Hackers that might steal private keys.

Station-to-Station Protocol and Forward Secrecy

$$\begin{array}{rl}1.& A\to B:g^x\\ 2.& B\to A:g^y,\{S_B(g^y,g^x){\}}_{g^{xy}}\\ 3.& A\to B:\{S_A(g^y,g^x){\}}_{g^{xy}}\\ 4.& B\to A:\{M{\}}_{g^{xy}}\end{array}$$

$S_X(\_)$ means signed by $X$.

Question

Why is this Secure ?

• $x,y,g^{xy}$ are not stored after the protocol run.
• $A$ and $B$‘s keys don’t let the attacker read $M$.
• STS ensured Forward Secrecy.