[146682] in cryptography@c2.net mail archive
Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd:
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Fri Sep 6 16:23:01 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 06 Sep 2013 19:33:25 +0100
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: "Perry E. Metzger" <perry@piermont.com>
In-Reply-To: <20130906103607.0a876c6d@jabberwock.cb.piermont.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
james hughes <hughejp@mac.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 06/09/13 15:36, Perry E. Metzger wrote:
>>> One solution, preventing passive attacks, is for major browsers
>>> and websites to switch to using PFS ciphersuites (i.e. those
>>> based on ephemeral Diffie-Hellmann key exchange).
>
> It occurred to me yesterday that this seems like something all major
> service providers should be doing. I'm sure that some voices will say
> additional delay harms user experience. Such voices should be
> ruthlessly ignored.
Any additional delay will be short - after all, if forward secrecy by
ephemeral key setup (I hate the term PFS, there is nothing perfect about
it) is not used then you have to use something else - usually RSA -
instead.
For a desktop, laptop, or even a decent mobile the difference is not
noticeable in practice if the server is fast enough.
However, while the case for forward secrecy is easy to make,
implementing it may be a little dangerous - if NSA have broken ECDH then
using it only gives them plaintext they maybe didn't have before.
Personally, operating on the assumption that NSA have not made a crypto
break is something I'm not prepared to do. I just don't know what that
break is is. I think it's most likely RSA/DH or ECC, but could easily be
wrong.
I don't really care if the "break" is non-existent, irrelevant or
disinformation - beefing up today's crypto is only hard in terms of
getting people to choose a new updated crypto, and then getting people
to implement it. This happens every so often anyway.
One point which has been mentioned, but perhaps not emphasised enough -
if NSA have a secret backdoor into the main NIST ECC curves, then even
if the fact of the backdoor was exposed - the method is pretty well
known - without the secret constants no-one _else_ could break ECC.
So NSA could advocate the widespread use of ECC while still fulfilling
their mission of protecting US gubbmint communications from enemies
foreign and domestic. Just not from themselves.
Looking at timing, the FIPS 186-3 curves were introduced in July 2009 -
the first hints that NSA had made a cryptanalytic break came in early to
mid 2010.
I'm still leaning towards RSA, but ...
-- Peter Fairbrother
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography