----- Forwarded message from Adam Back <a...@cypherspace.org> -----
Date: Thu, 4 Jul 2013 20:33:50 +0200
From: Adam Back <a...@cypherspace.org>
To: Thierry Moreau <thierry.mor...@connotech.com>
Cc: Crypto discussion list <cryptogra...@randombit.net>
Subject: Re: [cryptography] SSL session resumption defective (Re: What project
would you finance? [WAS: Potential funding for crypto-related
projects])
User-Agent: Mutt/1.5.21 (2010-09-15)
I do not think it is a narrow difference. End point compromise via
subpoena, physical seizing, or court mandated disclosure are far different
things than pre-emptive storing and later decryption. The scale at which a
society will do them, and tolerate doing them given their inherently
increased visibility is much curtailed. Trying to do wide scale MITM is
much harder, than hoovering ciphertext and then after the fact obtaining
keys by whatever method is expedient, legal/extra-legal, secret
particularized warrant, secret general warrants, government authorized
malware, etc. All of these things are apparently happening on scale larger
than authorized by society.
Having to physically seize systems, issue individualized subpoenas to a
generally public court process based on articulated suspicion creates a
natural balance vs general warrants that the US rightly fought a revolution
against my ancesters, the British over.
Basically unless you think PRISM is a good idea, you should use DH.
On Thu, Jul 04, 2013 at 12:37:40PM -0400, Thierry Moreau wrote:
>> (The argument that other parts of the system are poorly secured, is not an
>> excuse; and anyway their failure modes are quite distinct).
>
> In my opinion, when you consider the casual user needs, I see those
> arguments not at a top priority.
Subpoena resistance is a pretty high priority for end user systems.
>> Btw DH is not the only way to get forward secrecy; ephemeral (512-bit) RSA
>> keys were used as part of the now-defunct export ciphers, and the less well
>> known fact that you can extend forward secrecy using symmetric key one way
>> functions hash function k' = H(k), delete k.
>
> Not completely by this counterexample: generate k, suffer from an
> enemy copy of system state including k, let k'=H(k), delete k', use
> k' in dangerous confidence. I mean the textbook PFS definition is
> not satisfied by k'=H(k).
I think you are confusing forward secrecy (aka backward security) with
backward secrecy (forward security). Ross Anderson tried to improve things
with his forward secure/backward secure alternative terminology:
http://www.cypherspace.org/adam/nifs/refs/forwardsecure.pdf
Forward secrecy is a bad term from a mnemonic point of view, I think
Anderson's forward/backward security terms are better. EDH provides both,
k'=H(k) provides only backward security (aka forward secrecy). The point is
you do both; you can computationally afford to do k'=H(k) with an agile
key-schedule cipher like AES every minute or whatever.
Adam
_______________________________________________
cryptography mailing list
cryptogra...@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
