> Ian Grigg writes: >>I note that disctinction well! Certificate based systems >>are totally vulnerable to a passive sniffing attack if the >>attacker can get the key. Whereas Diffie Hellman is not, >>on the face of it. Very curious... > > No, that is not accurate. Diffie-Hellman is also insecure if the "private > key" is revealed to the adversary. The "private key" for Diffie-Hellman > is the private exponent. If you learn the private exponent that one > endpoint used for a given connection, and if you have intercepted that > connection, you can derive the session key and decrypt the intercepted > traffic.

I wasn't familiar that one could think in those terms. Reading here: http://www.rsasecurity.com/rsalabs/node.asp?id=2248 it says: In recent years, the original Diffie-Hellman protocol has been understood to be an example of a much more general cryptographic technique, the common element being the derivation of a shared secret value (that is, key) from one party's public key and another party's private key. The parties' key pairs may be generated anew at each run of the protocol, as in the original Diffie-Hellman protocol. It seems the compromise of *either* exponent would lead to solution. > Perhaps the distinction you had in mind is forward secrecy. If you use > a different "private key" for every connection, then compromise of one > connection's "private key" won't affect other connections. This is > true whether you use RSA or Diffie-Hellman. The main difference is > that in Diffie-Hellman, "key generation" is cheap and easy (just an > exponentiation), while in RSA key generation is more expensive. Yes. So if a crypto system used the technique of using Diffie-Hellman key exchange (with unique exponents for each session), there would be no lazy passive attack, where I am defining the lazy attack as a once-off compromise of a private key. That is, the attacker would still have to learn the individual exponent for that session, which (assuming the attacker has to ask for it of one party) would be equivalent in difficulty to learning the secret key that resulted and was used for the secret key cipher. iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]