From eugen@leitl.org Mon Sep 9 05:00:23 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [Cryptography] In the face of "cooperative" end-points, PFS doesn't help Date: Mon, 09 Sep 2013 11:00:20 +0200 Message-ID: <20130909090020.GK10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2843756408930428570==" --===============2843756408930428570== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from james hughes ----- Date: Sun, 08 Sep 2013 16:16:57 -0700 From: james hughes To: "Marcus D. Leech" Cc: "cryptography(a)metzdowd.com" Subject: Re: [Cryptography] In the face of "cooperative" end-points, PFS does= n't help X-Mailer: iPhone Mail (10B350) On Sep 7, 2013, at 8:16 PM, "Marcus D. Leech" wrote: > But it's not entirely clear to me that it will help enough in the scenarios= under discussion. If we assume that mostly what NSA are doing is acquiring = a site > RSA key (either through "donation" on the part of the site, or through f= actoring or other means), then yes, absolutely, PFS will be a significant roa= dblock. > If, however, they're getting session-key material (perhaps through back-= doored software, rather than explicit cooperation by the target website), the > PFS does nothing to help us. And indeed, that same class of compromised= site could just as well be leaking plaintext. Although leaking session > keys is lower-profile. I think we are growing closer to agreement, PFS does help, the question is ho= w much in the face of cooperation.=20 Let me suggest the following.=20 With RSA, a single quiet "donation" by the site and it's done. The situation = becomes totally passive and there is no possibility knowing what has been rea= d. The system administrator could even do this without the executives knowin= g.=20 With PFS there is a significantly higher profile interaction with the site. E= ither the session keys need to be transmitted in bulk, or the RNG cribbed. B= oth of these have a significantly higher profile, higher possibility of dete= ction and increased difficulty to execute properly. Certainly a more risky th= ink for a cooperating site to do.=20 PFS does improve the situation even if cooperation is suspect. IMHO it is jus= t better cryptography. Why not?=20 It's better. It's already in the suites. All we have to do is use it...=20 I am honestly curious about the motivation not to choose more secure modes th= at are already in the suites? _______________________________________________ The cryptography mailing list cryptography(a)metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============2843756408930428570==--