/* jquery */ /* jquery accordion style*/ /* jquery init */

22 December 2013

Perfect Forward Security

Material surrounding the NSA's PRISM and MUSCULAR programmes, exposed in the Edward Snowdon documents, have generated much consternation in the IT industry. And the public aren't at all happy with the alleged capture, storage and analysis of their communications either.

Major technology organisations felt compelled to conduct a top to bottom review of existing security systems. Many have decided to significantly enhance and extend data security.

High on the list is the introduction of an encryption strategy called 'Perfect Forward Security'.

Enhanced Encryption

So, what exactly is Perfect Forward Security (PFS)? And how does it help secure our data?

At its core PFS is based on the highly regarded and well proven public-key encryption system. A system that relies on a pair of mathematically related keys. If you'd like to understand the nitty gritty technical details of key exchange they are expertly explained in this Wiki entry.

Despite widespread adoption the key-exchange scenario does have a flaw. If a private key is compromised all data - past, present or future - encrypted with this key can be viewed in plain text. For example Microsoft's outlook.com email service has historically relied on a single master key.

But it doesn't have be like this. PFS is specifically designed to address this problem. Originally introduced way back in 1992 by Whitfield Diffie (the key-exchange co-inventor), Paul von Ooschot and Michael Weiner, PFS describes a session-based station-to-station protocol.

This protocol mandates that both ends of the network channel work together to generate a new key set for each separate communication session. This means that owning a compromised key only allows an attacker to access information for one specific communication session. The next session will be encrypted using a different key set. So, adopting PFS greatly enhances data security.

Unfortunately there is small additional processing cost to generating new keys. While this isn't welcome the PFS configuration can be adjusted based on circumstances. For example the sensitivity of the information being transmitted or the security policies of various organisations involved.

Work In Progress

Google was one of the first major players to adopt forward security technology. As far back as 2011 Google switched on PFS for secure socket layer (SSL) encryption on its secure Search, Google+, Gmail, Calendar, Docs and other web services. Now it's using PFS for all its data centre internal network traffic to counteract further surreptitious data collection.

Microsoft has started a multi-phase plan to securely encrypt all stored user content and associated data transfers at every global data centre by the end of 2014. Key targets for enhanced encryption are the Outlook.com email facility, Office365, SkyDrive cloud-based storage and the Windows Azure suite of online services.

Yahoo CEO Marissa Mayer responded to the NSA surveillance allegations with a blog post to assure customers that, "Yahoo has never given access to our data centres to the NSA or to any other government agency. Ever." Mayer went on to confirm that Yahoo will enhance it's SSL security with 2048-bit level keys by January 2014 and all worldwide Yahoo data flows by the end of Q1 2014.

Twitter's announcement appeared in late November confirming it had implemented PFS on its main website, mobile site and API feeds. The configuration ensures new encryption keys are generated every time the user log in.

More To Do

As you might expect from a defender of digital rights and freedoms the Electronic Frontier Foundation (EFF) is keen to push for even wider PFS adoption. In a post on the EFF website it suggests all technology companies should seriously consider going down the same forward security route.

Yet there's still a long way to go. At the time of this post some big technology names are only just starting to think about how they address this area. Yet by mid-2014 any major services not supporting PFS are likely to attract plenty of negative media coverage.

Read more analysis posts.