DOC RABE Media - Fotolia

How can you use perfect forward secrecy for mobile security?

How can companies increase data protection in mobile communications environments and enhance perfect forward secrecy to safeguard user activity?

Encryption has long been upheld as the gold standard for data protection. Enterprises apply cryptography to encode high-value information, so only authorized users can access it. Simply put, when encryption is applied to protect communications, the message is scrambled, so unauthorized users can't intercept it. Only authorized users with the right keys can unlock and unscramble the message.

Hackers hit back

Unfortunately, as with virtually every other IT security mechanism, hackers have found ways to crack cryptocodes, breaching what is commonly thought of as fail-safe protection. 

While encryption codes can be difficult to crack, increasingly sophisticated cybercriminals are applying technology to accelerate the process. Armed with reverse-engineering tools, hackers can file through billions of key combinations in seconds. Increasingly, hackers also file away encrypted messages to crack later.

Perfect forward secrecy and other techniques

When hackers steal the private keys, they can unlock data from both encrypted future and past sessions. Cryptographers came up with a scheme to safeguard past-session data in the 1990s, but it was not widely implemented until well after the turn of this century.

That scheme, perfect forward secrecy (PFS), uses a mechanism to create a new key every time a user sends a new instant message. Today, it's primarily used to secure data communications in messaging apps, but its use is not widespread in other areas of web communications. Though every current browser can initiate a PFS session, many HTTP sites aren't compatible.

Users can also apply other good practices to avoid future issues, such as deleting decrypted messages or moving them to a more secure device.

Perfect forward secrecy support on a site can be tested with tools. Users can also apply other good practices to avoid future issues, such as deleting decrypted messages or moving them to a more secure device.

Double ratchet, meantime, is used to underpin secure mobile messaging apps, like Wickr and Signal. Double ratchet attaches a new encryption key for every individual message, even if the message is part of a string between two individuals.

Tools like these will help enterprises ensure their mobile data is protected, but organizations will always have to exercise an abundance of caution when sharing private information -- even when those communications are encrypted.

This was last published in January 2018

Dig Deeper on Network security