Introduction to PFS Cryptography system

PFS (password System)

Full name: Perfect forward secrecy.

For a cryptographic system, if a key is stolen, only the data encrypted by the key is stolen.

Some cryptographic systems have keys that are exported from a first key, so if a key is stolen, an attacker might gather enough information to export another key.

Prior to using PFS, the second phase of IPSec key was exported from the first phase of the key, and PFS was used to make the two-phase key of IPSec Independent. Therefore, PFS is used to improve security.

Requiring a key to access only the data protected by it; the element used to generate the key is changed once, no other key is generated, and a key is cracked that does not affect the security of the other keys; The PFS feature is guaranteed by the DH algorithm.

English: A cryptosystem in which, if one encryption key is compromised, only the "data encrypted by" specific key is Comprom Ised. Some cryptosystems allow keys to being derived from previous keys, so this is if the the "the" is compromised, a attacker might Have enough information to figure out the other keys and/or decrypt data encrypted using those keys. RFC 2409 describes PFS in detail.

PFS enhances security by using different security key for the IPSec Phase 1 and Phase 2 SAs. Without PFS, the same security key are used to establish SAs in both phases. PFS ensures that a given IPSEC SA key is not derived to the other secret (like some the other keys). In other words, if someone were to break a key, PFS ensures that the attacker would. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all IPSEC protected data, and Then use knowledge of the IKE SA secret to compromise the IPSec SA setup by this Ike SA. With PFS, breaking IKE would not give a attacker immediate access to IPSEC. The attacker would have to break each IPSec SA individually.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/