Written by Frequently changing keys also limits the exposure time of a key compromised by Mallory. If the extracted key is used only for a single communication session, Mallory cannot decrypt previous sessions and needs to repeat the extraction (and hope that her malware won’t be detected by Alice’s virus scanners, firewalls, and intrusion detection systems) to decrypt future sessions.
A cryptographic concept closely related to frequent key updates is the so-called ephemeral or session key. An ephemeral key is a key that is freshly generated for each new execution of a cryptographic protocol, for instance, for each new key agreement [63].
Ephemeral keys form the basis for forward secrecy, a security property of a cryptographic protocol that ensures that the compromise of long-term cryptographic secrets does not allow Eve to compromise previous sessions of the protocol. By generating a fresh key for every new session (and using the long-term secret for authentication only), a compromise of a single session key only affects data that is protected during that session by that particular key [187]. Moreover, even if a long-term secret is learned by Mallory, this will only affect future protocol sessions, because for them, entity authentication is compromised.
Intuitively, the term forward secrecy is somewhat misleading since it has the word ”forward” in it, but actually describes a security property of past sessions. Basically, the idea behind forward secrecy is that the entire message traffic prior to the compromise of the long-term key(s) cannot be easily decrypted by the attacker. That is, the communication between Alice and Bob is locked securely in the past.
Here, easily means that the attacker cannot efficiently decrypt the communication unless she knows a polynomial-time algorithm for solving the underlying mathematical problem of the cryptographic protocol. For example, the Discrete-Logarithm Problem (DLP) underlies the Diffie-Hellman (DH) key agreement protocol. An attacker would therefore need a polynomial-time algorithm to solve that problem.
For a long time, problems such as DLP were believed to be computationally intractable, because for decades (DH, for instance, was introduced in 1976), no one was able to come up with an efficient method of solving them. That is essentially the reason why such problems form the basis of widely used algorithms in TLS. However, things have changed with the advent of quantum computers and Shor’s algorithm [163]. Implemented on a quantum computer, Shor’s algorithm can solve the DLP (and also the factoring problem used in the RSA cryptosystem) efficiently, that is, in polynomial time. Currently, quantum computers are not able to process the large numbers used in modern cryptography, but this might change over the next 10-15 years. Accordingly, DLP and the factoring problem are put by complexity researchers into a complexity class of their own called bounded-error quantum polynomial-time (BQP), located somewhere between the complexity classes P (for polynomial time) and NP (for non-deterministic polynomial time) [123]. Of course, we will also need new, so-called post-quantum asymmetric algorithms for key exchange in due time, if only as insurance or fallback.