4

I am writing a decentralized application that lets certain privileged users post messages to other users. These messages should be encrypted so that only the two of them can read it. Messages are posted onto IPFS, so that anyone can read the ciphertext.

Currently, I am using OpenPGP to encrypt from one user to the other. However, I was reading about perfect forward secrecy's usages (e.g. in Signal, Megolm), and it seems like a requirement for a secure chat app.

However, in my case, users must always be able to read message history, ideally from any device with the private key. I could still do this with PFS, but I'd have to keep decrypted message history on the device, correct? Thus, (as keybase alludes to), isn't perfect forward secrecy useless if compromising a device always yields both the long-term key and all past history?

Essentially, are there any benefits that PFS still offers versus traditional public-key encryption, perhaps augmented with the ability to stop encrypting to compromised devices in future messages?

Pneumaticat
  • 41
  • 3

1 Answers1

2

It depends on the capabilities of the attacker. If an attacker can compromise your device, then yes, storing the full message history obviously means they'll be able to see everything.

But what if the attacker can only see communication between the users? In this case forward secrecy is still useful, as it means breaking a user's long-term key at some point in the future won't compromise every message for that user, instead each individual key would have to be broken.

Forward secrecy works by using an "ephemeral key", which means a new key is negotiated for each message. It's the difference between an attacker in the future spending a couple weeks breaking your key and having every message you sent for several years vs breaking a single message's key and having only that message. Once keys can be broken quickly enough (perhaps with quantum computing) forward secrecy doesn't help much. In either case, the attacker still needs to have the ciphertext. If they don't have the ciphertext they can't decrypt it.

As an example, suppose you had a 512 bit RSA key a couple decades ago. 512 bit RSA was first broken in 1999, taking 6 months. Today it can be done in a few hours for less than $100. If you had many hundreds of messages encrypted for that key that an adversary had previously intercepted and wants to decrypt, all they have to do is spend a couple hours and under $100 to break your key and they'd have all of them. If each message had used an ephemeral key, they'd have to spend that much time and money per message.

You can think of forward secrecy as a stop-gap measure, making each individual key much less valuable. This works because once it's possible to break a key, it still often takes significant effort to do so, with the effort required steadily declining over time.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
  • So forward secrecy would help in the case of *cryptographic compromise* (i.e. not stealing the key, but cracking it)? That would make sense, since the attacker wouldn't have access to decrypted message data in that case. – Pneumaticat Feb 20 '19 at 00:30
  • 1
    @Pneumaticat does that help? – AndrolGenhald Feb 20 '19 at 01:17
  • Yeah, that helps a lot. If I were to use a very strong encryption key right now, though (say, 4096-bit RSA), though, wouldn't the more likely possibility be cryptographic compromise, not brute-force attack? I suppose even if RSA is totally broken in the future, it might be computationally expensive to run the attack, so forward secrecy would still help. – Pneumaticat Feb 20 '19 at 01:23