[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

Peter Fairbrother zenadsl6186 at zen.co.uk
Fri Sep 6 14:33:25 EDT 2013

On 06/09/13 15:36, Perry E. Metzger wrote:
>>> One solution, preventing passive attacks, is for major browsers
>>> and websites to switch to using PFS ciphersuites (i.e. those
>>> based on ephemeral Diffie-Hellmann key exchange).
> It occurred to me yesterday that this seems like something all major
> service providers should be doing. I'm sure that some voices will say
> additional delay harms user experience. Such voices should be
> ruthlessly ignored.

Any additional delay will be short - after all, if forward secrecy by 
ephemeral key setup (I hate the term PFS, there is nothing perfect about 
it) is not used then you have to use something else - usually RSA - 

For a desktop, laptop, or even a decent mobile the difference is not 
noticeable in practice if the server is fast enough.

However, while the case for forward secrecy is easy to make, 
implementing it may be a little dangerous - if NSA have broken ECDH then
using it only gives them plaintext they maybe didn't have before.

Personally, operating on the assumption that NSA have not made a crypto 
break is something I'm not prepared to do. I just don't know what that 
break is is. I think it's most likely RSA/DH or ECC, but could easily be 

I don't really care if the "break" is non-existent, irrelevant or 
disinformation - beefing up today's crypto is only hard in terms of 
getting people to choose a new updated crypto, and then getting people 
to implement it. This happens every so often anyway.

One point which has been mentioned, but perhaps not emphasised enough - 
if NSA have a secret backdoor into the main NIST ECC curves, then even 
if the fact of the backdoor was exposed - the method is pretty well 
known - without the secret constants no-one _else_ could break ECC.

So NSA could advocate the widespread use of ECC while still fulfilling 
their mission of protecting US gubbmint communications from enemies 
foreign and domestic. Just not from themselves.

Looking at timing, the FIPS 186-3 curves were introduced in July 2009 - 
the first hints that NSA had made a cryptanalytic break came in early to 
mid 2010.

I'm still leaning towards RSA, but ...

-- Peter Fairbrother

More information about the cryptography mailing list