> Ian Grigg writes:
>>I note that disctinction well!  Certificate based systems
>>are totally vulnerable to a passive sniffing attack if the
>>attacker can get the key.  Whereas Diffie Hellman is not,
>>on the face of it.  Very curious...
> No, that is not accurate.  Diffie-Hellman is also insecure if the "private
> key" is revealed to the adversary.  The "private key" for Diffie-Hellman
> is the private exponent.  If you learn the private exponent that one
> endpoint used for a given connection, and if you have intercepted that
> connection, you can derive the session key and decrypt the intercepted
> traffic.

I wasn't familiar that one could think in those terms.  Reading
here:  http://www.rsasecurity.com/rsalabs/node.asp?id=2248 it

    In recent years, the original Diffie-Hellman protocol
    has been understood to be an example of a much more
    general cryptographic technique, the common element
    being the derivation of a shared secret value (that
    is, key) from one party's public key and another
    party's private key. The parties' key pairs may be
    generated anew at each run of the protocol, as in
    the original Diffie-Hellman protocol.

It seems the compromise of *either* exponent would lead to

> Perhaps the distinction you had in mind is forward secrecy.  If you use
> a different "private key" for every connection, then compromise of one
> connection's "private key" won't affect other connections.  This is
> true whether you use RSA or Diffie-Hellman.  The main difference is
> that in Diffie-Hellman, "key generation" is cheap and easy (just an
> exponentiation), while in RSA key generation is more expensive.

Yes.  So if a crypto system used the technique of using
Diffie-Hellman key exchange (with unique exponents for each
session), there would be no lazy passive attack, where I
am defining the lazy attack as a once-off compromise of a
private key.  That is, the attacker would still have to
learn the individual exponent for that session, which
(assuming the attacker has to ask for it of one party)
would be equivalent in difficulty to learning the secret
key that resulted and was used for the secret key cipher.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to