Forward secrecy without interactive key agreement
- Michael Rogers
- 2011-10-23 @ 18:19
I've run into a crypto problem that I hope someone on this list might
I'm working on a protocol in which two parties agree a long-term shared
secret. Each party may subsequently send chunks of data to the other.
The chunks of data may be carried over unidirectional transports, so the
parties can't interactively agree on ephemeral encryption and
authentication keys for each chunk.
Each time a chunk is sent, the sender derives fresh encryption and
authentication keys from the long-term shared secret and an outgoing
chunk counter. The recipient derives the same keys from the long-term
shared secret and an incoming chunk counter, and uses them to
authenticate and decrypt the chunk.
The problem is that there's no forward secrecy: if the long-term shared
secret is compromised then all previous chunks can be decrypted. So I'm
looking for a way to provide forward secrecy without interactive key
One possibility would be to derive an incoming secret and an outgoing
secret from the shared secret, such that Alice's incoming secret would
be equal to Bob's outgoing secret and vice versa. The shared secret
would then be destroyed - there would be no long-term shared secret.
The encryption and authentication keys for each chunk would be derived
from the outgoing (incoming) secret and the outgoing (incoming) chunk
counter. After sending a chunk, the outgoing secret would be replaced
with its own hash. Similarly, after receiving a chunk, the incoming
secret would be replaced with its own hash.
If the secrets were ever compromised, it would not be possible to
recover the secrets used to derive the keys for previous chunks. So
there would be forward secrecy for chunk n after chunk n + 1 had been
sent and received.
My concern here is with the use of repeated hashing. Is it safe to use a
hash function to generate a series of secrets in this way? Is there any
chance, for example, that the hash function could get caught in a cycle?
Hoping someone on the list can point me to a standard that uses hashing
in this way, or another way of generating an irreversible sequence of