On Sep 7, 2013, at 1:50 PM, Peter Fairbrother <zenadsl6...@zen.co.uk> wrote:

> On 07/09/13 02:49, Marcus D. Leech wrote:
>> It seems to me that while PFS is an excellent back-stop against NSA
>> having/deriving a website RSA key, it does *nothing* to prevent the kind of
>>   "cooperative endpoint" scenario that I've seen discussed in other
>> forums, prompted by the latest revelations about what NSA has been up to.
> True.
> But does it matter much? A cooperative endpoint can give plaintext no matter 
> what encryption is used, not just session keys.


Cooperative endpoints offer no protection to any cryptography because they have 
all the plaintext. One can argue that the subpoenas are just as effective as 
cooperative endpoints. The reductio ad absurdum argument is that PFS is not 
good enough in the face of subpoenas? I don't think cooperative endpoints is a 
relevant point. 

Passive monitoring and accumulation of cyphertext is a good SIGINT strategy. 
Read about the VENONA project. 
> Most decipherable messages were transmitted and intercepted between 1942 and 
> 1945. […] These messages were slowly and gradually decrypted beginning in 
> 1946 and continuing […] through 1980,

Clearly, the traffic was accumulated during which time there was no known 

While reusing OTP is not the fault here, PFS makes recovering information with 
future key recovery harder, since a single key being recovered with whatever 
means, does not make old traffic more vulnerable. 

This is not a new idea. The separation of key exchange from authentication 
allows this. A router I did the cryptography for (first produced by Network 
Systems Corporation in the 1994) was very careful not to allow any old (i.e. 
recorded) traffic to be vulnerable even if one or both end points were stolen 
and all the key material extracted. The router used DH (both sides ephemeral) 
for the key exchange and RSA for authentication and integrity. This work 
actually predates IPSEC and is still being used.

I am getting from the list that there have been or are arguments that doing two 
public key operations is too much. Is it really? 

PFS may not be a panacea but does help.

The cryptography mailing list

Reply via email to