At 06:49 PM 9/6/2013, Marcus D. Leech wrote:
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
"cooperative endpoint" scenario that I've seen discussed in other
forums, prompted by the latest revelations about what NSA has been up to.
But if your fave website (gmail, your bank, etc) is disclosing the
session-key(s) to the NSA,
Depends a lot on how cooperative they are. It's much easier to get a
subpoena/secret-order/etc. for "business records" that a company
keeps, which may include the long-term key, than to get one for
transient session keys that their software doesn't keep. Doesn't
mean they can't do it, but it's probably much easier to get an order
to produce plaintext, especially for a company like a bank or email
service where the plaintext is something they would be keeping, at
least briefly, as a business record anyway.
Do we now strongly suspect that NSA have a flotilla of TWIRL (or
similar) machines, so that active cooperation of websites isn't
to derive their (weaker) RSA secret keys?
Unlikely - the economics are still strongly against that. Keeping a
fleet of key cracking machines to grab long-term private keys from
high-value targets might make sense, but each long-term key gets used
to protect thousands or millions of transient session keys. If they
have 1024-bit RSA crackers at all, unless there's been a radical
breakthrough in factoring, they're still not fast.
I've always preferred RSA-signed Diffie-Hellmann to encrypted
session-key transfer when it's practical. The long-term keys only
get used for signatures, so if they're compromised they can only be
used to impersonate the endpoints, not to read previous sessions, and
under less-than-NSA versions of due process, it's a lot easier to
argue in court against a police agency that wants to impersonate you
than one that wants a copy of a transaction.
The cryptography mailing list