Join Log in
Score:2
Randusr avatar Crypto

How does perfect forward secrecy work for messaging?

sm flag
Randusr

I am struggling to understand how messaging protocols (like Signal) are able to use perfect forward secrecy. My understanding is that the server generates temporary keys which are used in combination with a user's persistent keys in generating shared session keys.

But if the temp keys are discarded after the session ends, how do the client devices decrypt messages from previous sessions? I must be missing something because I thought the whole point of PFS is that if an attacker got access to your private key, they could only decrypt messages from your current session. If that is true, how are you able to decrypt messages from previous sessions?

1004
2 + 0
Score:6
Amit avatar Crypto
ci flag
Amit

I think that you may be confusing encryption of data "in transit" and encryption of persistent data. PFS works mainly and I think was also designed mainly for data in transit. So for messaging protocols, the important point to realize is that whichever keys you employed as part of the key agreement protocol (usually asymmetric keys), and whichever keys you agreed on and used for the message transport protocol (usually symmetric keys) should go away, never to return, once the session ends (or earlier!). This way, whoever is able to record the encrypted session data, by somehow eavesdropping on the line (aka: Passive MITM), will not be able to recover those keys at any point in the future, which renders his recording of the entire session as useless information.

When you start talking about things like "message history" and how is it you're able to see messages that were sent to you in the past, this is a whole different story. As long as you want any kind of message history, you need to enable the user to both securely store and delete historical messages, but by definition the concept of PFS doesn't apply to them because this is where you begin to deal with the encryption of persistent, as opposed to transient, data.

+ 4
Randusr avatar
sm flag
Randusr
So if I Alice was sending a message to Bob, would Alice encrypt the message using a shared key first, then, for transit, encrypt the ciphertext with the session key to then be decrypted on the server? But this would mean that the server stores the session key somehow? Could you give an example of how this would work for sending a message?
0
Reply
Amit avatar
ci flag
Amit
The idea is that: 1. Alice and Bob may use long term keys *only* for identification and authentication. Whether it be to each other or with the server 2. Once they are identified (hence logged in to whatever messaging system that is) they are capable of starting a session. 3. Now from this point, for them to start a session, there is no inherent requirement of the existence of a third party (server) at all. 4. So, to start a PFS compatible session, they need to make sure, as written above, that the key agreement protocol they use is one that creates what is called "ephemeral keys"...
0
Reply
Amit avatar
ci flag
Amit
... Now a server is surely important for cases where for example you need to store a message until the recipient receives it (recipient's phone may be turned off is a classic example). But all this means for PFS is that sessions may become longer, and intentionally storing encrypted messages on the server for the duration of the session, doesn't change the PFS property, because at any case, once the session is terminated, the server also wouldn't be able to decrypt those messages. What I am saying is an ideal situation - I am not too familiar with how it's done by Signal, WhatsApp etc.
0
Reply
Amit avatar
ci flag
Amit
One last thing: you may find the following video somewhat enlightening: https://www.youtube.com/watch?v=tOMiAeRwpPA&ab_channel=TechworldSverige The speaker is the guy that was involved in developing the Signal protocol... (old video but I think it still employs the same principles).
0
Reply
Score:2
Elias avatar Crypto
vn flag
Elias

The main goal of PFS is to prevent an attacker from recording a lot of data on the network and then decrypting that data after compromising one of the endpoints.

For example, the FBI records all your traffic to the Signal server, later they confiscate your phone and decrypt all that traffic.

If you store your entire history on your phone this is unnecessary. But if you delete data after the conversation has happened this becomes useful. For Signal, this would probably mean turning on "Disappearing Messages". (Disclaimer: I don't know anything about the details of that feature.)

Note that, PFS is a protocol feature, while deleting data locally is a client feature. The client needs to actually delete all the data and not just the encryption keys to prevent client compromise to leak data. This is a problem for secure messaging because people generally want to be able to look at chat history.

+ 2
Randusr avatar
sm flag
Randusr
So all messages from previous sessions are stored only on each client's local device?
0
Reply
Elias avatar
vn flag
Elias
Sorry, I don't know. I do know that Signal also has a strange PIN based recovery scheme which protects your keys using Intel SGX. It's hard to say how all these things play together and what kind of client compromise security Signal actually provides.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.