On Sep 7, 2013, at 1:50 PM, Peter Fairbrother <zenadsl6...@zen.co.uk> wrote:
> On 07/09/13 02:49, Marcus D. Leech wrote:
>> It seems to me that while PFS is an excellent back-stop against NSA
>> having/deriving a website RSA key, it does *nothing* to prevent the kind of
>> "cooperative endpoint" scenario that I've seen discussed in other
>> forums, prompted by the latest revelations about what NSA has been up to.
>
> True.
>
> But does it matter much? A cooperative endpoint can give plaintext no matter
> what encryption is used, not just session keys.
+1.
Cooperative endpoints offer no protection to any cryptography because they have
all the plaintext. One can argue that the subpoenas are just as effective as
cooperative endpoints. The reductio ad absurdum argument is that PFS is not
good enough in the face of subpoenas? I don't think cooperative endpoints is a
relevant point.
Passive monitoring and accumulation of cyphertext is a good SIGINT strategy.
Read about the VENONA project.
http://en.wikipedia.org/wiki/Venona_project
> Most decipherable messages were transmitted and intercepted between 1942 and
> 1945. […] These messages were slowly and gradually decrypted beginning in
> 1946 and continuing […] through 1980,
Clearly, the traffic was accumulated during which time there was no known
attack.
While reusing OTP is not the fault here, PFS makes recovering information with
future key recovery harder, since a single key being recovered with whatever
means, does not make old traffic more vulnerable.
This is not a new idea. The separation of key exchange from authentication
allows this. A router I did the cryptography for (first produced by Network
Systems Corporation in the 1994) was very careful not to allow any old (i.e.
recorded) traffic to be vulnerable even if one or both end points were stolen
and all the key material extracted. The router used DH (both sides ephemeral)
for the key exchange and RSA for authentication and integrity. This work
actually predates IPSEC and is still being used.
http://www.blueridge.com/index.php/products/borderguard/borderguard-overview
I am getting from the list that there have been or are arguments that doing two
public key operations is too much. Is it really?
PFS may not be a panacea but does help.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
