[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

Bill Stewart bill.stewart at pobox.com
Sat Sep 7 13:12:53 EDT 2013

At 06:49 PM 9/6/2013, Marcus D. Leech wrote:
>It seems to me that while PFS is an excellent back-stop against NSA 
>having/deriving a website RSA key, it does *nothing* to prevent the kind of
>   "cooperative endpoint" scenario that I've seen discussed in other 
> forums, prompted by the latest revelations about what NSA has been up to.
>But if your fave website (gmail, your bank, etc) is disclosing the 
>session-key(s) to the NSA,

Depends a lot on how cooperative they are.  It's much easier to get a 
subpoena/secret-order/etc. for "business records" that a company 
keeps, which may include the long-term key, than to get one for 
transient session keys that their software doesn't keep.  Doesn't 
mean they can't do it, but it's probably much easier to get an order 
to produce plaintext, especially for a company like a bank or email 
service where the plaintext is something they would be keeping, at 
least briefly, as a business record anyway.

>Do we now strongly suspect that NSA have a flotilla of TWIRL (or 
>similar) machines, so that active cooperation of websites isn't 
>strictly necessary
>   to derive their (weaker) RSA secret keys?

Unlikely - the economics are still strongly against that.  Keeping a 
fleet of key cracking machines to grab long-term private keys from 
high-value targets might make sense, but each long-term key gets used 
to protect thousands or millions of transient session keys.  If they 
have 1024-bit RSA crackers at all, unless there's been a radical 
breakthrough in factoring, they're still not fast.

I've always preferred RSA-signed Diffie-Hellmann to encrypted 
session-key transfer when it's practical.  The long-term keys only 
get used for signatures, so if they're compromised they can only be 
used to impersonate the endpoints, not to read previous sessions, and 
under less-than-NSA versions of due process, it's a lot easier to 
argue in court against a police agency that wants to impersonate you 
than one that wants a copy of a transaction.

More information about the cryptography mailing list