On 06/09/13 15:36, Perry E. Metzger wrote:
One solution, preventing passive attacks, is for major browsers
and websites to switch to using PFS ciphersuites (i.e. those
based on ephemeral Diffie-Hellmann key exchange).

It occurred to me yesterday that this seems like something all major
service providers should be doing. I'm sure that some voices will say
additional delay harms user experience. Such voices should be
ruthlessly ignored.

Any additional delay will be short - after all, if forward secrecy by ephemeral key setup (I hate the term PFS, there is nothing perfect about it) is not used then you have to use something else - usually RSA - instead.

For a desktop, laptop, or even a decent mobile the difference is not noticeable in practice if the server is fast enough.

However, while the case for forward secrecy is easy to make, implementing it may be a little dangerous - if NSA have broken ECDH then
using it only gives them plaintext they maybe didn't have before.

Personally, operating on the assumption that NSA have not made a crypto break is something I'm not prepared to do. I just don't know what that break is is. I think it's most likely RSA/DH or ECC, but could easily be wrong.

I don't really care if the "break" is non-existent, irrelevant or disinformation - beefing up today's crypto is only hard in terms of getting people to choose a new updated crypto, and then getting people to implement it. This happens every so often anyway.

One point which has been mentioned, but perhaps not emphasised enough - if NSA have a secret backdoor into the main NIST ECC curves, then even if the fact of the backdoor was exposed - the method is pretty well known - without the secret constants no-one _else_ could break ECC.

So NSA could advocate the widespread use of ECC while still fulfilling their mission of protecting US gubbmint communications from enemies foreign and domestic. Just not from themselves.

Looking at timing, the FIPS 186-3 curves were introduced in July 2009 - the first hints that NSA had made a cryptanalytic break came in early to mid 2010.

I'm still leaning towards RSA, but ...

-- Peter Fairbrother
The cryptography mailing list

Reply via email to