$ public-key forward secrecy (PFS)
(I) For a key agreement protocol based on asymmetric cryptography,
the property that ensures that a session key derived from a set of
long-term public and private keys will not be compromised if one
of the private keys is compromised in the future.
This would disallow unauthenticated DH then. There are no long term
keys in that case.
- One concept of "forward secrecy" is that, given observations of
the operation of a key establishment protocol up to time t, and
given some of the session keys derived from those protocol runs,
you cannot derive unknown past session keys or future session
keys.
Logically, forward secrecy would be secrecy forward in time. That is,
information cannot be recovered once you go forward in time,
into the future. Information today cannot be discovered from information
available tomorrow.
Likewise, backward secrecy would be secrecy backward in time.
Information cannot be recovered as you move backward in time, that is,
into the past. Information today cannot be discovered from information
available yesterday.
(C) Forward vs. backward: Experts are unhappy with the word
"forward", because compromise of "this" encryption key also is not
supposed to compromise the "previous" one, which is "backward"
rather than forward.
No, that is forward secrecy. Forward secrecy means today's information is
protected tomorrow. Equivalently, yesterday's information is protected
today. That is, yesterday's keys can't be recovered from knowledge of
today's. This is forward secrecy.
Backward secrecy would mean that it is impossible to derive tomorrow's
keys from knowledge of today's.
It's easy to get these confused, because the existence of two reference
points creates two relative directions. If one is forward of the other,
the other is backward from the first. For consistency we adopt the
convention of measuring the direction from the point of view of when
the secret information exists. Forward secrecy is secrecy against
attackers who are forward in time, that is, in the future.
It is unfortunate that what is basically a simple and well defined
concept has led to so much confusion and inconsistency in usage.
