David Wong

cryptologie.net

cryptography, security, and random thoughts

Hey! I'm David, cofounder of zkSecurity, research advisor at Archetype, and author of the Real-World Cryptography book. I was previously a cryptography architect of Mina at O(1) Labs, the security lead for Libra/Diem at Facebook, and a security engineer at the Cryptography Services of NCC Group. Welcome to my blog about cryptography, security, and other related topics.

← back to all posts

Forward Secrecy

blog

I was asked during an interview how to build a system where Alice could send encrypted messages to Bob. And I was asked to think outloud.

So I imagined a system where both Alice and Bob would have a set of (public key, private key). I thought of RSA as they all use RSA but ECIES (Elliptic Curve Integrated Encryption Scheme) would be more secure for smaller keys. Although here ECIES is not a “pure” asymmetric encryption scheme and Elgamal with ECs might be better.

Once one wants to communicate he could send a “hello” request and a handshake protocol could take place (to generate a symmetric encryption key (called a session key in this case)).

I imagined that two session keys would be generated by each end. Different set of keys depending on the direction. One for encrypting the messages and one for making the MAC (that would be then appended to the encrypted message. So we EtM (Encrypt-then-Mac)).

Then those keys would be encrypted with the public signature of the other one and sent over the wire like this. And Let’s add a signature so we can get authentication and they also won’t get tampered. Let’s use ECDSA (Elliptic Curve Digital Signature Algorithm) for that.

Although I’m wondering if two symmetric keys for encrypting messages according to the direction is really useful.

I was then asked to think about renewal of keys. Well, the public keys of Alice and Bob are long term keys so I didn’t bother with that. About the symmetric keys? What about their TTL (Time To Live)?

My interviewer was nice enough to give me some clues: “It depends on the quantity of messages you encrypt in that time also.”

So I thought. Why not using AES in CTR mode. So that after a certain number of iteration we would just regenerate the symmetric keys.

I was then asked to think about Forward Secrecy.

Well I knew the problem it was solving but didn’t know it was solving it.

Mark Stamp (a professor of cryptography in California (how many awesome cryptography professors are in California? Seriously?)) kindly uploaded this video of one of his class on “Perfect Forward Secrecy”.

So here the trick would be to do an Ephemeral Diffie-Hellman to use a different session key everytime we send something.

This EDH would of course be encrypted as well by our public key system so the attacker would first need to get the private keys to see that EDH.

suggested reads:
Real World Crypto 2017: Day 2 blog
Fault attacks on RSA's signatures blog
Key Compromise Impersonation attacks (KCI) blog
← back to all posts blog • 2014-12-06
currently reading:
Forward Secrecy
12-06 blog
recent posts:
New cryptologie.net
07-20 blog
Weaponizing AI Assistants: With Their Permission
07-20 blog
What are Schwartz-Zippel circuits? How do they relate to iterative constraint systems?
05-29 blog
Short Note On Montgomery Reduction: Why Operating Modulo b?
05-24 blog
Still confused by Plonk's permutation?
03-13 blog
📖 my book
Real-World Cryptography is available from Manning Publications.
A practical guide to applied cryptography for developers and security professionals.
🎙️ my podcast
Two And A Half Coins on Spotify.
Discussing cryptocurrencies, databases, banking, and distributed systems.
📺 my youtube
Cryptography videos on YouTube.
Video explanations of cryptographic concepts and security topics.