On 10/02/2011 03:38 AM, Peter Gutmann wrote:
Sandy Harris<[email protected]> writes:
What on Earth were the arguments against it? I'd have thought PFS was a
complete no-brainer.
Two things, it's computationally very expensive, and most people have no idea
what PFS is.
There's been one significant improvement since the 90s: Even the typical
MS Windows IT guy today will have at least played with Wireshark and may
have even set up certificates for something. I find an easy way to
explain PFS is "someone who gets a Wireshark capture won't be able to
decrypt it EVEN IF they somehow get the private key to the certificate."
There's an increasing awareness of data loss issues right now. I wonder
if DHE ciphersuites will become recognized as a best practice?
At the risk of feeding the conspiracy angle, I note that there is only
one stream cipher for SSL/TLS (RC4). All the others in common use are
CBC modes, with that same predictable IV weakness as IPsec (i.e. BEAST).
There are no DHE cipher suites defined for RC4. So if you want PFS, you
have to accept predictable IVs. If you want resistance to BEAST, you
have to give up PFS.
Personally, I don't interpret this as anything more than the IETF
process and some vendor biases back in the 90s. But it shows that
designing for this concept of 'agility' is important, in particular for
reasons you don't know at the time.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography