On Tue, 17 Sep 2013 16:52:26 -0400 John Kemp <j...@jkemp.net> wrote: > On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker > <hal...@gmail.com> wrote: > > The objective of PRISM-hardening is not to prevent an > > attack absolutely, it is to increase the work factor for the > > attacker attempting ubiquitous surveillance. > > > > Examples include: > > > > Forward Secrecy: Increases work factor from one public key per > > host to one public key per TLS session. > > How does that work if one of PRISMs objectives is to compromise > data _before_ it is transmitted by subverting its storage in one > way or another? > > Forward secrecy does nothing to impact the "work factor" in that > case.
So, PFS stops attackers from breaking all communications by simply stealing endpoint RSA keys. You need some sort of side channel or reduction of the RNG output space in order break an individual communication then. (Note that this assumes no cryptographic breakthroughs like doing discrete logs over prime fields easily or (completely theoretical since we don't really know how to do it) sabotage of the elliptic curve system in use.) Given that many real organizations have hundreds of front end machines sharing RSA private keys, theft of RSA keys may very well be much easier in many cases than broader forms of sabotage. Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography