[147193] in cryptography@c2.net mail archive
Re: [Cryptography] PRISM-Proofing and PRISM-Hardening
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Sep 17 17:01:19 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 17 Sep 2013 17:01:12 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: John Kemp <john@jkemp.net>
In-Reply-To: <ECC47875-EFCA-4A55-9FA4-965F6DDF3167@jkemp.net>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Phillip Hallam-Baker <hallam@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Tue, 17 Sep 2013 16:52:26 -0400 John Kemp <john@jkemp.net> wrote:
> On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker
> <hallam@gmail.com> wrote:
> > The objective of PRISM-hardening is not to prevent an
> > attack absolutely, it is to increase the work factor for the
> > attacker attempting ubiquitous surveillance.
> >
> > Examples include:
> >
> > Forward Secrecy: Increases work factor from one public key per
> > host to one public key per TLS session.
>
> How does that work if one of PRISMs objectives is to compromise
> data _before_ it is transmitted by subverting its storage in one
> way or another?
>
> Forward secrecy does nothing to impact the "work factor" in that
> case.
So, PFS stops attackers from breaking all communications by simply
stealing endpoint RSA keys. You need some sort of side channel or
reduction of the RNG output space in order break an individual
communication then.
(Note that this assumes no cryptographic breakthroughs like doing
discrete logs over prime fields easily or (completely theoretical
since we don't really know how to do it) sabotage of the elliptic
curve system in use.)
Given that many real organizations have hundreds of front end
machines sharing RSA private keys, theft of RSA keys may very well be
much easier in many cases than broader forms of sabotage.
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
