Is any encryption system that changes keys for each session "forward secure"?

Question

As far as i understand, a encryption system is forward secure if new session keys are generated for each session, which is also part of what wikipedia says about forward secrecy:

By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key.

So far, so good, but it is the definition that bugs me:

An encryption system has the property of forward secrecy if plain-text (decrypted) inspection of the data exchange that occurs during key agreement phase of session initiation does not reveal the key that was used to encrypt the remainder of the session.

1. In this way, shouldn't e.g. asymmetric encryption be forward secure even if we do NOT alter keys between sessions?

For asymmetric encryption, the data exchange during key agreement does NOT include the private key and also not necessarily the public key, hence a plain-text inspection of it does not reveal the key(s) that are used to encrypt the session...

If i interpret it as both keys shouldn't be send as plaintext, then an assumed asymmetric encryption that changes the private-public key pair for each session is also NOT forward secure, because the public key is always public.

2. Is the definition wrong or insufficient?

3. Is it sufficient to think that any encryption system that changes keys for each session is forward secure?

A crucial part is the discarding the keys after use. What is Perfect forward secrecy?.Thomas answer to Is forward secrecy overhyped or necessary? and a little deeper Is encrypted e-mail sent over TLS 1.3 a form of “forward secrecy” (similar to something like Signal)? — kelalaka, Oct 07 '20 at 21:29
I have read your answer before, the problem is that it is not clear what you mean by "after use". The simplest way to think is that every time the key is used to encrypt a message, so in that case even normal usage of DHE (e.g. in TLS 1.2) is NOT forward secure because the keys do not change for each message in the session. But TLS 1.2 is officially said to be forward secure when used with DHE (RFC 5246 - F.1.1.3.). Therefor i would assume "after use" means after each session which is NOT really "after use" BUT "after session". Or not? — goulashsoup, Oct 07 '20 at 21:58
There's also the extremely short maximum message length for almost any asymmetric encryption scheme to consider. EG RSA-OAEP with 2048-bit keys can encrypt at most 214 bytes, more realistically 190 bytes of data. That's enough for a symmetric key, but not much else. ECC via ElGamal is even less. So instead we exchange symmetric keys using asymmetric cryptography (Diffie-Hellman style, KEM style, or encrypting a symmetric key for some older systems) and use that for a "session". Each session is one use. — SAI Peregrinus, Oct 07 '20 at 22:18

Is any encryption system that changes keys for each session "forward secure"?

1. In this way, shouldn't e.g. asymmetric encryption be forward secure even if we do NOT alter keys between sessions?

2. Is the definition wrong or insufficient?

3. Is it sufficient to think that any encryption system that changes keys for each session is forward secure?

0 Answers0