It seems to me that while PFS is an excellent back-stop against NSA having/deriving a website RSA key, it does *nothing* to prevent the kind of "cooperative endpoint" scenario that I've seen discussed in other forums, prompted by the latest revelations about what NSA has been up to.

But if your fave website (gmail, your bank, etc) is disclosing the session-key(s) to the NSA, or has deliberately-weakened session-key negotiation in
  some way, then PFS doesn't help you.

I agree that if the scenario is "NSA has a database of RSA keys of 'popular sites'" then PFS helps tremendously. But if the scenario goes deeper into the "cooperative endpoint" territory, then waving the PFS flag is perhaps like playing the violin on the deck of the Titantic.

Do we now strongly suspect that NSA have a flotilla of TWIRL (or similar) machines, so that active cooperation of websites isn't strictly necessary
  to derive their (weaker) RSA secret keys?

Marcus Leech
Principal Investigator
Shirleys Bay Radio Astronomy Consortium

The cryptography mailing list

Reply via email to