On 07/09/13 02:49, Marcus D. Leech wrote:
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
   "cooperative endpoint" scenario that I've seen discussed in other
forums, prompted by the latest revelations about what NSA has been up to.


But does it matter much? A cooperative endpoint can give plaintext no matter what encryption is used, not just session keys.

Okay, that might be a little harder to do in bulk - but perhaps not that much harder, depending on circumstances.

But if your fave website (gmail, your bank, etc) is disclosing the
session-key(s) to the NSA, or has deliberately-weakened session-key
negotiation in
   some way, then PFS doesn't help you.

I agree that if the scenario is "NSA has a database of RSA keys of
'popular sites'" then PFS helps tremendously.  But if the scenario goes
   into the "cooperative endpoint" territory, then waving the PFS flag
is perhaps like playing the violin on the deck of the Titantic.

Do we now strongly suspect that NSA have a flotilla of TWIRL (or
similar) machines, so that active cooperation of websites isn't strictly
   to derive their (weaker) RSA secret keys?

Maybe. Or maybe they have broken (the NIST curves for) ECDHE. Or maybe it's something else.

Whatever, I don't think they would be asking for $5.2 billion plus (for comparison, BULLRUN has an annual budget of $280 million) to spend on developing "advanced cryptanalytic capabilities" for which it is useful to "shape the worldwide cryptography marketplace to make it more tractable to" unless it was against some sort of key establishment mechanism in SSL/TLS.

I can't think of any other target which is worth that much money. Okay, maybe I'm ignoring the "never underestimate what the enemy is willing to spend" rule here, but..

Breaking a cipher like AES, 3DES or RC4 wouldn't give them nearly as much access to plaintext as breaking a KEM - they would have to break each ciphertext individually, whereas they would only need to break a KEM once.

And most of their interception is passive, they just listen - you generally need at least one plaintext/ciphertext pair to break a cipher and find a session key, and most often they don't have the plaintext, just the ciphertext.

You just need the right math (and/or maybe some input into curve choices) to break a PK KEM, and find *all* the session keys it is used for.

(the $5.2 billion figure is from a NSA request for additional congressional funding for "exciting new cryptanalytic capabilities" made a few years ago, and leaked by a congressman)

-- Peter Fairbrother
The cryptography mailing list

Reply via email to