----- Forwarded message from Adam Back <a...@cypherspace.org> ----- Date: Thu, 4 Jul 2013 20:33:50 +0200 From: Adam Back <a...@cypherspace.org> To: Thierry Moreau <thierry.mor...@connotech.com> Cc: Crypto discussion list <cryptogra...@randombit.net> Subject: Re: [cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects]) User-Agent: Mutt/1.5.21 (2010-09-15)
I do not think it is a narrow difference. End point compromise via subpoena, physical seizing, or court mandated disclosure are far different things than pre-emptive storing and later decryption. The scale at which a society will do them, and tolerate doing them given their inherently increased visibility is much curtailed. Trying to do wide scale MITM is much harder, than hoovering ciphertext and then after the fact obtaining keys by whatever method is expedient, legal/extra-legal, secret particularized warrant, secret general warrants, government authorized malware, etc. All of these things are apparently happening on scale larger than authorized by society. Having to physically seize systems, issue individualized subpoenas to a generally public court process based on articulated suspicion creates a natural balance vs general warrants that the US rightly fought a revolution against my ancesters, the British over. Basically unless you think PRISM is a good idea, you should use DH. On Thu, Jul 04, 2013 at 12:37:40PM -0400, Thierry Moreau wrote: >> (The argument that other parts of the system are poorly secured, is not an >> excuse; and anyway their failure modes are quite distinct). > > In my opinion, when you consider the casual user needs, I see those > arguments not at a top priority. Subpoena resistance is a pretty high priority for end user systems. >> Btw DH is not the only way to get forward secrecy; ephemeral (512-bit) RSA >> keys were used as part of the now-defunct export ciphers, and the less well >> known fact that you can extend forward secrecy using symmetric key one way >> functions hash function k' = H(k), delete k. > > Not completely by this counterexample: generate k, suffer from an > enemy copy of system state including k, let k'=H(k), delete k', use > k' in dangerous confidence. I mean the textbook PFS definition is > not satisfied by k'=H(k). I think you are confusing forward secrecy (aka backward security) with backward secrecy (forward security). Ross Anderson tried to improve things with his forward secure/backward secure alternative terminology: http://www.cypherspace.org/adam/nifs/refs/forwardsecure.pdf Forward secrecy is a bad term from a mnemonic point of view, I think Anderson's forward/backward security terms are better. EDH provides both, k'=H(k) provides only backward security (aka forward secrecy). The point is you do both; you can computationally afford to do k'=H(k) with an agile key-schedule cipher like AES every minute or whatever. Adam _______________________________________________ cryptography mailing list cryptogra...@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech