On Sep 7, 2013, at 8:16 PM, "Marcus D. Leech" <mle...@ripnet.com> wrote:

> But it's not entirely clear to me that it will help enough in the scenarios 
> under discussion.  If we assume that mostly what NSA are doing is acquiring a 
> site
>    RSA key (either through "donation" on the part of the site, or through 
> factoring or other means), then yes, absolutely, PFS will be a significant 
> roadblock.
>    If, however, they're getting session-key material (perhaps through 
> back-doored software, rather than explicit cooperation by the target 
> website), the
>    PFS does nothing to help us.  And indeed, that same class of compromised 
> site could just as well be leaking plaintext.  Although leaking session
>    keys is lower-profile.

I think we are growing closer to agreement, PFS does help, the question is how 
much in the face of cooperation. 

Let me suggest the following. 

With RSA, a single quiet "donation" by the site and it's done. The situation 
becomes totally passive and there is no possibility knowing what has been read. 
 The system administrator could even do this without the executives knowing. 

With PFS there is a significantly higher profile interaction with the site. 
Either the session keys need to be transmitted  in bulk, or the RNG cribbed. 
Both of these have a significantly higher profile,  higher possibility of 
detection and increased difficulty to execute properly. Certainly a more risky 
think for a cooperating site to do. 

PFS does improve the situation even if cooperation is suspect. IMHO it is just 
better cryptography. Why not? 

It's better. It's already in the suites. All we have to do is use it... 

I am honestly curious about the motivation not to choose more secure modes that 
are already in the suites?

The cryptography mailing list

Reply via email to