<!DOCTYPE html> <html class=""> <head> <meta charset="utf-8"> <title>Perfect Forward Secrecy</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta property="description" content="Binding temporary authorization key to permanent ones."> <meta property="og:title" content="Perfect Forward Secrecy"> <meta property="og:image" content="a2b9f721d645a85533"> <meta property="og:description" content="Binding temporary authorization key to permanent ones."> <link rel="icon" type="image/svg+xml" href="/img/website_icon.svg?4"> <link rel="apple-touch-icon" sizes="180x180" href="/img/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/img/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/img/favicon-16x16.png"> <link rel="alternate icon" href="/img/favicon.ico" type="image/x-icon" /> <link href="/css/bootstrap.min.css?3" rel="stylesheet"> <link href="/css/telegram.css?241" rel="stylesheet" media="screen"> <style> </style> </head> <body class="preload"> <div class="dev_page_wrap"> <div class="dev_page_head navbar navbar-static-top navbar-tg"> <div class="navbar-inner"> <div class="container clearfix"> <ul class="nav navbar-nav navbar-right hidden-xs"><li class="navbar-twitter"><a href="https://twitter.com/telegram" target="_blank" data-track="Follow/Twitter" onclick="trackDlClick(this, event)"><i class="icon icon-twitter"></i><span> Twitter</span></a></li></ul> <ul class="nav navbar-nav"> <li><a href="//telegram.org/">Home</a></li> <li class="hidden-xs"><a href="//telegram.org/faq">FAQ</a></li> <li class="hidden-xs"><a href="//telegram.org/apps">Apps</a></li> <li class="active"><a href="/api">API</a></li> <li class=""><a href="/mtproto">Protocol</a></li> <li class=""><a href="/schema">Schema</a></li> </ul> </div> </div> </div> <div class="container clearfix"> <div class="dev_page"> <div id="dev_page_content_wrap" class=" "> <div class="dev_page_bread_crumbs"><ul class="breadcrumb clearfix"><li><a href="/api" >API</a></li><i class="icon icon-breadcrumb-divider"></i><li><a href="/api/pfs" >Perfect Forward Secrecy</a></li></ul></div> <h1 id="dev_page_title">Perfect Forward Secrecy</h1> <div id="dev_page_content"><h5><a class="anchor" name="related-articles" href="#related-articles"><i class="anchor-icon"></i></a>Related articles</h5> <p><div class="dev_page_nav_wrap"></p> <ul> <li><a href="/api/end-to-end/pfs">Perfect Forward Secrecy in Secret Chats</a></li> <li><a href="/mtproto/security_guidelines">Security guidelines for developers</a></li> </ul> <p></div></p> <blockquote> <p><em>This article is about Perfect Forward Secrecy in cloud chats, see also <a href="/api/end-to-end/pfs">PFS in Secret Chats</a>.</em></p> </blockquote> <hr> <p>Telegram supports Perfect Forward Secrecy (PFS).</p> <p>To make this possible, the client generates a permanent authorization key using <strong>p_q_inner_data</strong> and a temporary key using <strong>p_q_inner_data_temp</strong>. (See <a href="/mtproto/auth_key">Creating an Authorization Key</a> for more info.) These 2 operations may be done in parallel using different connections. The client must save an <strong>expires_at</strong> unix timestamp <code>expires_at = time + expires_in</code>.</p> <p><strong>Important</strong>: in order to achieve PFS, the client must <strong>never</strong> use the permanent auth_key_id directly. Every message that is sent to MTProto, must be encrypted by a <strong>temp_auth_key_id</strong>, that was bound to the <strong>perm_auth_key_id</strong>.</p> <p>An unbound <strong>temp_auth_key_id</strong> may only be used with the following methods:</p> <ul> <li><a href="/method/auth.bindTempAuthKey">auth.bindTempAuthKey</a></li> <li><a href="/method/help.getConfig">help.getConfig</a></li> <li><a href="/method/help.getNearestDc">help.getNearestDc</a></li> </ul> <p>In order to bind a temporary authorization key to the permanent key the client creates a <a href="/method/auth.bindTempAuthKey#binding-message-contents">special binding message</a> and executes the <a href="/method/auth.bindTempAuthKey">auth.bindTempAuthKey</a> method using <strong>temp_auth_key</strong>. Once <strong>auth.bindTempAuthKey</strong> has been executed successfully, the client may continue using the API as usual; the client must also <a href="/api/invoking#saving-client-info">rewrite client info</a> using <a href="/method/initConnection">initConnection</a> after each binding. Each permanent key may only be bound to <strong>one</strong> temporary key at a time, binding a new temporary key overwrites the previous one.</p> <p>Once the temporary key expires, the client needs to generate a new temporary key using <strong>p_q_inner_data_temp</strong>. Then it needs to re-bind that new temporary key to the initial permanent key. A new key can also be generated in advance, so that the client has a new key ready by the time the old one has expired.</p> <p>For additional security, the client can store the temporary authorization key in RAM only and never save it in persistent storage.</p> <p>A temporary authorization key may expire at any moment before <strong>expires_at</strong>, since such keys are also stored only in the RAM on the server-side. Be prepared to handle resulting MTProto errors correctly (non-existent auth_key_id results in a 404 error).</p> </div> </div> </div> </div> <div class="footer_wrap"> <div class="footer_columns_wrap footer_desktop"> <div class="footer_column footer_column_telegram"> <h5>Telegram</h5> <div class="footer_telegram_description"></div> Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. </div> <div class="footer_column"> <h5><a href="//telegram.org/faq">About</a></h5> <ul> <li><a href="//telegram.org/faq">FAQ</a></li> <li><a href="//telegram.org/privacy">Privacy</a></li> <li><a href="//telegram.org/press">Press</a></li> </ul> </div> <div class="footer_column"> <h5><a href="//telegram.org/apps#mobile-apps">Mobile Apps</a></h5> <ul> <li><a href="//telegram.org/dl/ios">iPhone/iPad</a></li> <li><a href="//telegram.org/android">Android</a></li> <li><a href="//telegram.org/dl/web">Mobile Web</a></li> </ul> </div> <div class="footer_column"> <h5><a href="//telegram.org/apps#desktop-apps">Desktop Apps</a></h5> <ul> <li><a href="//desktop.telegram.org/">PC/Mac/Linux</a></li> <li><a href="//macos.telegram.org/">macOS</a></li> <li><a href="//telegram.org/dl/web">Web-browser</a></li> </ul> </div> <div class="footer_column footer_column_platform"> <h5><a href="/">Platform</a></h5> <ul> <li><a href="/api">API</a></li> <li><a href="//translations.telegram.org/">Translations</a></li> <li><a href="//instantview.telegram.org/">Instant View</a></li> </ul> </div> </div> <div class="footer_columns_wrap footer_mobile"> <div class="footer_column"> <h5><a href="//telegram.org/faq">About</a></h5> </div> <div class="footer_column"> <h5><a href="//telegram.org/blog">Blog</a></h5> </div> <div class="footer_column"> <h5><a href="//telegram.org/apps">Apps</a></h5> </div> <div class="footer_column"> <h5><a href="/">Platform</a></h5> </div> <div class="footer_column"> <h5><a href="//telegram.org/press">Press</a></h5> </div> </div> </div> </div> <script src="/js/main.js?47"></script> <script>backToTopInit("Go up"); removePreloadInit(); </script> </body> </html> <!-- page generated in 6.51ms -->