[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

[Jerry Leichter]

On Sep 7, 2013, at 11:16 PM, Marcus D. Leech wrote:
> Jeff Schiller pointed out a little while ago that the crypto-engineering community have largely failed to make end-to-end encryption easy to use.  There are reasons for that, some technical, some political, but it is absolutely true that end-to-end encryption, for those cases where "end to end" is the obvious and natural model, has not significantly materialized on the Internet.  Relatively speaking, a handful of crypto-nerds use end-to-end schemes for e-mail and chat clients, and so on, but the vast majority of the Internet user-space?  Not so much.
I agree, but the situation is complicated.  Consider chat.  If it's one-to-one, end-to-end encryption is pretty simple and could be made simple to use; but people also want to chat rooms, which are a much more complicated key management problem - unless you let the server do the encryption.  Do you enable it only for one-to-one conversations?  Provide different interfaces for one-to-one and chat room discussions?

Even for one-to-one discussions, these days, people want transparent movement across their hardware.  If I'm in a chat session on my laptop and leave the house, I'd like to be able to continue on my phone.  How do I hand off the conversation - and the keys?  (What this actually shows is the complexity of defining "the endpoint".  From the protocol's point of view, the endpoint is first my laptop, then my phone.  From the user's point of view, the endpoint is  the user!  How do we reconcile these points of view?  Or does the difference go away if we assume the endpoint is always the phone, since it's always with me anyway?)

The same kinds of questions arise for other communications modalities, but are often more complex.  One-to-one voice?  Sure, we could easily end-to-end encrypt that.  But these days everyone expects to do conference calls.  Handling those is quite a bit more complex.

There does appear to be some consumer interest here.  Apple found it worthwhile to advertise that iMessage - which is used in a completely transparent way, you don't even have to opt in for it to replace SMS for iOS to iOS messages - is end-to-end encrypted.  (And, it appears that it *is* end-to-end encrypted - but unfortunately key establishment protocols leave Apple with the keys - which allows them to provide useful services, like making your chat logs visible on brand new hardware, but also leaves holes of course.)  Silent Circle, among others, makes their living off of selling end-to-end encrypted chat sessions, but they've got a tiny, tiny fraction of the customer base Apple has.

I think you first need to decide *exactly* what services you're going to provide in a secure fashion, and then what customers are willing to do without (multi-party support, easy movement to new devices, backwards compatibility perhaps) before you can begin to design something new with any chance of success.
                                                        -- Jerry



                                                        -- Jerry