I think it's true. Here's an explanation: http://www.commandlineisking.com/2009/10/wire-shark-can-decrypt-ssl-traffic.html?m=1
Particularly of interest: It doesn't have enough information to derive the pre-master secret. It doesn't know about the secret keys of either party, as those are never sent across the network, only the public keys, and other Diffie-Hellman parameters have been sent across the wire. So again, it can't derive the pre-master secret and ultimately derive the encryption key(s). Also, those private keys are considered ephemeral, that is they are not stored anywhere, so after the key exchange and the session is over they will likely (hopefully) be destroyed never to be used again, and, in this case you'll gainPerfect Forward Secrecy. -- Sent from my iPhone, so please forgive spelling/brevity. On 14 Dec 2012, at 21:07, Peter Collins <hampshire....@mail-box.me.uk> wrote: > On 14/12/12 16:53, Benjie Gillam wrote: >> I think a Diffie-Hellman key exchange would mean even if you surrender your >> passwords/certificates/etc they still can't decode previously captured >> network data. Though I think it only works for "real time" communications >> where the key is destroyed after the communication has completed (e.g. SSL), >> so it'd protect you from man in the middle attacks when sending email to a >> trusted server, but it's not useful for storing said data securely. >> > > If this was true then it would prove that the CDB was useless and anyone > who was exchanging information of a sensitive nature could do so with > much hassle. > > > > -- > Please post to: Hampshire@mailman.lug.org.uk > Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire > LUG URL: http://www.hantslug.org.uk > --------------------------------------------------------------
-- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
