On 07/09/13 02:49, Marcus D. Leech wrote:
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
"cooperative endpoint" scenario that I've seen discussed in other
forums, prompted by the latest revelations about what NSA has been up to.
But does it matter much? A cooperative endpoint can give plaintext no
matter what encryption is used, not just session keys.
Okay, that might be a little harder to do in bulk - but perhaps not that
much harder, depending on circumstances.
But if your fave website (gmail, your bank, etc) is disclosing the
session-key(s) to the NSA, or has deliberately-weakened session-key
some way, then PFS doesn't help you.
I agree that if the scenario is "NSA has a database of RSA keys of
'popular sites'" then PFS helps tremendously. But if the scenario goes
into the "cooperative endpoint" territory, then waving the PFS flag
is perhaps like playing the violin on the deck of the Titantic.
Do we now strongly suspect that NSA have a flotilla of TWIRL (or
similar) machines, so that active cooperation of websites isn't strictly
to derive their (weaker) RSA secret keys?
Maybe. Or maybe they have broken (the NIST curves for) ECDHE. Or maybe
it's something else.
Whatever, I don't think they would be asking for $5.2 billion plus (for
comparison, BULLRUN has an annual budget of $280 million) to spend on
developing "advanced cryptanalytic capabilities" for which it is useful
to "shape the worldwide cryptography marketplace to make it more
tractable to" unless it was against some sort of key establishment
mechanism in SSL/TLS.
I can't think of any other target which is worth that much money. Okay,
maybe I'm ignoring the "never underestimate what the enemy is willing to
spend" rule here, but..
Breaking a cipher like AES, 3DES or RC4 wouldn't give them nearly as
much access to plaintext as breaking a KEM - they would have to break
each ciphertext individually, whereas they would only need to break a
And most of their interception is passive, they just listen - you
generally need at least one plaintext/ciphertext pair to break a cipher
and find a session key, and most often they don't have the plaintext,
just the ciphertext.
You just need the right math (and/or maybe some input into curve
choices) to break a PK KEM, and find *all* the session keys it is used for.
(the $5.2 billion figure is from a NSA request for additional
congressional funding for "exciting new cryptanalytic capabilities" made
a few years ago, and leaked by a congressman)
-- Peter Fairbrother
The cryptography mailing list