On 10/02/2011 03:38 AM, Peter Gutmann wrote:
Sandy Harris<[email protected]>  writes:

What on Earth were the arguments against it? I'd have thought PFS was a
complete no-brainer.

Two things, it's computationally very expensive, and most people have no idea
what PFS is.

There's been one significant improvement since the 90s: Even the typical MS Windows IT guy today will have at least played with Wireshark and may have even set up certificates for something. I find an easy way to explain PFS is "someone who gets a Wireshark capture won't be able to decrypt it EVEN IF they somehow get the private key to the certificate."

There's an increasing awareness of data loss issues right now. I wonder if DHE ciphersuites will become recognized as a best practice?

At the risk of feeding the conspiracy angle, I note that there is only one stream cipher for SSL/TLS (RC4). All the others in common use are CBC modes, with that same predictable IV weakness as IPsec (i.e. BEAST). There are no DHE cipher suites defined for RC4. So if you want PFS, you have to accept predictable IVs. If you want resistance to BEAST, you have to give up PFS.

Personally, I don't interpret this as anything more than the IETF process and some vendor biases back in the 90s. But it shows that designing for this concept of 'agility' is important, in particular for reasons you don't know at the time.

- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to