OK, Ian and I are, rightly or wrongly, on the same page here. Obviously my choice of the word certificate has caused confusion.
[David Wagner] > This sounds very confused. Certs are public. How would > knowing a copy > of the server cert help me to decrypt SSL traffic that I have > intercepted? Yes, sorry, what I _meant_ was the whole certificate file, PFX style, also containing private keys. I assure you, I'm not confused, just perhaps guilty of verbal shortcuts. I should, perhaps, have not characterised myself as 'bumbling enthusiast', to avoid the confusion with 'idiot'. :/ [...] > Ian Grigg writes: > >I note that disctinction well! Certificate based systems > >are totally vulnerable to a passive sniffing attack if the > >attacker can get the key. Whereas Diffie Hellman is not, > >on the face of it. Very curious... > > No, that is not accurate. Diffie-Hellman is also insecure if > the "private > key" is revealed to the adversary. The "private key" for > Diffie-Hellman > is the private exponent. No, I'm not talking about escrowing DH exponents. I'm talking about modes like in IPSec-IKE where there is a signed DH exchange using ephemeral DH exponents - this continues to resist passive sniffing if the _signing_ keys have somehow been compromised, unless I have somehow fallen on my head and missed something. > Perhaps the distinction you had in mind is forward secrecy. Yes and no. Forward secrecy is certainly at the root of my question, with regards to the RSA modes not providing it and certain of the DH modes doing so. :) Thanks! ben --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]