Remailer passphrases
Perry E. Metzger
perry at piermont.com
Thu Mar 14 05:46:57 PST 1996
Bill Stewart writes:
> perry at piermont.com replied
> >Signed Diffie-Hellman key exchanges have the property known as
> >"Perfect Forward Secrecy". Even if the opponent gets your public keys
> >it still will not decrypt any traffic for him at all -- it just lets
> >him pretend to be you. Thats one reason why protocols like Photuris
> >and Oakley use the technique.
>
> DH key exchange is really only Exponentially Good Forward Secrecy,
> and in its primary use (exchanging keys for symmetric-key algorithms)
> the system is at best Good Enough Forward Secrecy.
No, signed D-H like STS is in fact perfect forward secrecy in the
sense that breaking the RSA keys gives you no information about the
session keys, and breaking one of the D-H exchanges does not (in
theory) give you any information about any of the others.
Perry
More information about the cypherpunks-legacy
mailing list