On Sep 8, 2013, at 3:55 PM, Thor Lancelot Simon <t...@rek.tjls.com> wrote:
> I also wonder -- again, not entirely my own idea, my whiteboard partner
> can speak up for himself if he wants to -- about whether we're going
> to make ourselves better or worse off by rushing to the "safety" of
> PFS ciphersuites, which, with their reliance on DH, in the absence of
> good RNGs may make it *easier* for the adversary to recover our eventual
> symmetric-cipher keys, rather than harder!

I don't think you can do anything useful in crypto without some good source of 
random bits.  If there is a private key somewhere (say, used for signing, or 
the public DH key used alongside the ephemeral one), you can combine the hash 
of that private key into your PRNG state.  The result is that if your entropy 
source is bad, you get security to someone who doesn't compromise your private 
key in the future, and if your entropy source is good, you get security even 
against someone who compromises your private key in the future (that is, you 
get perfect forward secrecy).

> Thor

The cryptography mailing list

Reply via email to