Skip to main content

🔥 Burn after Reading

Forward Secrecy Explained

In 15 minutes: Understand why compromising a key doesn't reveal past communications
Prerequisites: Ratcheting + Double Ratchet

🎯 The Simple Story

Alice sends Bob her password.

Without forward secrecy:

  • Eve steals Bob's device at message 10
  • Eve reads password (message 1) using same key
  • ❌ Past messages compromised!

With forward secrecy:

  • Eve steals Bob's device at message 10
  • Eve reads message 10 only
  • Messages 1-9 deleted, can't decrypt
  • ✅ Past messages safe!

🧠 Mental Model

Hold this picture in your head:

Without Forward Secrecy:

    Shared secret S (same for all messages)

    Message 1: Encrypt with S → C1 (store C1)
    Message 2: Encrypt with S → C2 (store C2)
    ...
    Message 10: Encrypt with S → C10 (store C10)

    Eve steals device: Has S
    Eve can decrypt: C1..C10 (all messages!)

With Forward Secrecy:

    Message 1: K1 = KDF(RK, 1), encrypt C1, DELETE K1
    Message 2: K2 = KDF(RK, 2), encrypt C2, DELETE K2
    ...
    Message 10: K10 = KDF(RK, 10), encrypt C10, DELETE K10

    Eve steals device: No K1-K9 (already deleted!)
    Eve has K10: Can decrypt C10 only
    Eve can't decrypt: C1..C9 (keys gone!)

Think of it like:

🔥 Burn after reading (Key used then incinerated)

🗑️ Disposable camera (One-time use) 📍 Time capsule (Can't go back to past)

📊 See It Happen

Compromise scenarios:

🔢 The Math

With vs Without

Without forward secrecy:

S = KDF(RK)

Msg 1: Encrypt(msg1, S) → C1
Msg 2: Encrypt(msg2, S) → C2
Msg 10: Encrypt(msg10, S) → C10

Eve steals: Has S
Eve decrypts: msg1-msg10 (all!)

Compromise = 100% of conversation

With forward secrecy:

RK = KDF(DH_new) (from X3DH)

Msg 1: K1 = KDF(RK, 1), Encrypt(C1, K1), Delete K1
Msg 2: K2 = KDF(RK, 2), Encrypt(C2, K2), Delete K2
Msg 10: K10 = KDF(RK, 10), Encrypt(C10, K10), Delete K10

Eve steals: Has K10 only (RK not needed for past messages)
Eve decrypts: msg10 only
Eve can't decrypt: msg1..msg9 (K1-K9 deleted)

Compromise = 1 message (msg10)!

💡 Why Forward Secrecy?

Real-world impact:

Alice tells Bob:

  • Msg 1: "My password is secret123"
  • Msg 2: "My bank account is 12345"
  • ...
  • Msg 10: "I love you"

Without forward secrecy: Eve steals device → Reads all → All secrets compromised! ❌ Alice's password exposed ❌ Alice's bank account exposed ❌ Alice's love letter exposed

With forward secrecy: Eve steals device → Reads msg 10 only ("I love you") ✅ Password safe (K1 deleted) ✅ Bank account safe (K2 deleted) ✅ Love letter read (K10 exists, compromise limited to msg 10)

✅ Quick Check

What does forward secrecy provide?

Compromise limits:

Compromise at message i = Only message i affected.

Past messages (1..i-1): Safe (K1-K(i-1) deleted) Future messages (i+1): Safe (need new DH, no RK for future msgs)

How to achieve?

K_i per message:

K1 used → delete K2 used → delete K3 used → delete ...

Can't recover K_(i-1) from K_i (KDF is one-way).

📋 Key Takeaways

Forward secrecy = Compromise doesn't reveal past communications
Implementation: K_i used → deleted (per message)
Benefit: Eve stealing device only reads current message
Without: Same key S for all messages → all compromised
With: K_i per message → only current at risk
KDF: One-way (can't reverse old K_i from new)

🎯 Summary

Forward secrecy is the core benefit of the Double Ratchet!

Next: Advanced topics.