[147038] in cryptography@c2.net mail archive
Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd:
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Sep 11 15:30:20 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Sep 2013 11:40:47 -0700
To: Cryptography Mailing List <cryptography@metzdowd.com>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <CAMm+Lwi+fDDrZhNXpjrU9VzUn4svoKOGdF+YyS28wYfX1BF_-g@mail.g
mail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
At 10:39 AM 9/11/2013, Phillip Hallam-Baker wrote:
>Perfect Forward Secrecy is not perfect. In fact it is no better than
>regular public key. The only difference is that if the public key
>system is cracked then with PFS the attacker has to break every
>single key exchange and not just the keys in the certificates and if
>you use an RSA outer with an ECC inner then you double the
>cryptanalytic cost of the attack (theory as well as computation).
I wouldn't mind if it had been called Pretty Good Forward Secrecy
instead, but it really is a lot better than regular public key.
The main difference is that cracking PFS requires breaking every
single key exchange before the attack using cryptanalysis, while
cracking the RSA or ECC outer layer can be done by compromising the
stored private key, which is far easier to do using subpoenas or
malware or rubber hoses than cryptanalysis.
(Of course, any messages that were saved by the sender or recipient
can still be cracked by non-cryptanalytic techniques as well, but
that's a separate problem.)
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
