[854] in cryptography@c2.net mail archive
Re: forward secrecy and email protocols
daemon@ATHENA.MIT.EDU (Hal Finney)
Fri May 16 13:46:17 1997
Date: Thu, 15 May 1997 19:13:11 -0700
From: Hal Finney <hal@rain.org>
To: cryptography@c2.net
One of the ideas we talked about on cypherpunks a while back was
to keep a session key around for each person you communicate with.
For each message, you use the session key, and then you run it through a
one-way function to derive the session key to use for the next message.
There would need to be an initial public key communication to set up
the session keys, but if the eavesdroppers didn't have access to that
(because it happened a long time ago) then you get forward secrecy.
Keeping session keys around per pair of users is inefficient, but really
no worse than storing a local copy of the public keys of everybody else
you communicate with. In practice you might only do it with people you
communicate with a lot, so the costs aren't too bad.
Actually Phil Zimmermann proposed a similar idea to me back when we were
developing PGP 2.0. We weren't really thinking about forward secrecy,
it's just that the math library we had then was slow, especially on
the 286 class machines which were common at the time, so the public key
calculations were time consuming. The idea of passing the key through
a one way function to get forward secrecy was the new angle we came up
with on cypherpunks.
Hal
Hal
