[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

Marcus D. Leech mleech at ripnet.com
Fri Sep 6 21:49:26 EDT 2013

It seems to me that while PFS is an excellent back-stop against NSA 
having/deriving a website RSA key, it does *nothing* to prevent the kind of
   "cooperative endpoint" scenario that I've seen discussed in other 
forums, prompted by the latest revelations about what NSA has been up to.

But if your fave website (gmail, your bank, etc) is disclosing the 
session-key(s) to the NSA, or has deliberately-weakened session-key 
negotiation in
   some way, then PFS doesn't help you.

I agree that if the scenario is "NSA has a database of RSA keys of 
'popular sites'" then PFS helps tremendously.  But if the scenario goes 
   into the "cooperative endpoint" territory, then waving the PFS flag 
is perhaps like playing the violin on the deck of the Titantic.

Do we now strongly suspect that NSA have a flotilla of TWIRL (or 
similar) machines, so that active cooperation of websites isn't strictly 
   to derive their (weaker) RSA secret keys?

Marcus Leech
Principal Investigator
Shirleys Bay Radio Astronomy Consortium

More information about the cryptography mailing list