[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

Eugen Leitl eugen@leitl.org
Mon Sep 9 02:00:20 PDT 2013 

----- Forwarded message from james hughes <hughejp@mac.com> -----

Date: Sun, 08 Sep 2013 16:16:57 -0700
From: james hughes <hughejp@mac.com>
To: "Marcus D. Leech" <mleech@ripnet.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Subject: Re: [Cryptography] In the face of "cooperative" end-points, PFS doesn't help
X-Mailer: iPhone Mail (10B350)



On Sep 7, 2013, at 8:16 PM, "Marcus D. Leech" <mleech@ripnet.com> wrote:

> But it's not entirely clear to me that it will help enough in the scenarios under discussion.  If we assume that mostly what NSA are doing is acquiring a site
>    RSA key (either through "donation" on the part of the site, or through factoring or other means), then yes, absolutely, PFS will be a significant roadblock.
>    If, however, they're getting session-key material (perhaps through back-doored software, rather than explicit cooperation by the target website), the
>    PFS does nothing to help us.  And indeed, that same class of compromised site could just as well be leaking plaintext.  Although leaking session
>    keys is lower-profile.

I think we are growing closer to agreement, PFS does help, the question is how much in the face of cooperation. 

Let me suggest the following. 

With RSA, a single quiet "donation" by the site and it's done. The situation becomes totally passive and there is no possibility knowing what has been read.  The system administrator could even do this without the executives knowing. 

With PFS there is a significantly higher profile interaction with the site. Either the session keys need to be transmitted  in bulk, or the RNG cribbed. Both of these have a significantly higher profile,  higher possibility of detection and increased difficulty to execute properly. Certainly a more risky think for a cooperating site to do. 

PFS does improve the situation even if cooperation is suspect. IMHO it is just better cryptography. Why not? 

It's better. It's already in the suites. All we have to do is use it... 

I am honestly curious about the motivation not to choose more secure modes that are already in the suites?



_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the cypherpunks mailing list