At 06:49 PM 9/6/2013, Marcus D. Leech wrote:
It seems to me that while PFS is an excellent back-stop against NSA having/deriving a website RSA key, it does *nothing* to prevent the kind of "cooperative endpoint" scenario that I've seen discussed in other forums, prompted by the latest revelations about what NSA has been up to. But if your fave website (gmail, your bank, etc) is disclosing the session-key(s) to the NSA,

Depends a lot on how cooperative they are. It's much easier to get a subpoena/secret-order/etc. for "business records" that a company keeps, which may include the long-term key, than to get one for transient session keys that their software doesn't keep. Doesn't mean they can't do it, but it's probably much easier to get an order to produce plaintext, especially for a company like a bank or email service where the plaintext is something they would be keeping, at least briefly, as a business record anyway.

Do we now strongly suspect that NSA have a flotilla of TWIRL (or similar) machines, so that active cooperation of websites isn't strictly necessary
  to derive their (weaker) RSA secret keys?

Unlikely - the economics are still strongly against that. Keeping a fleet of key cracking machines to grab long-term private keys from high-value targets might make sense, but each long-term key gets used to protect thousands or millions of transient session keys. If they have 1024-bit RSA crackers at all, unless there's been a radical breakthrough in factoring, they're still not fast.

I've always preferred RSA-signed Diffie-Hellmann to encrypted session-key transfer when it's practical. The long-term keys only get used for signatures, so if they're compromised they can only be used to impersonate the endpoints, not to read previous sessions, and under less-than-NSA versions of due process, it's a lot easier to argue in court against a police agency that wants to impersonate you than one that wants a copy of a transaction.

The cryptography mailing list

Reply via email to