[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

Peter Fairbrother zenadsl6186 at zen.co.uk
Sat Sep 7 16:50:08 EDT 2013

On 07/09/13 02:49, Marcus D. Leech wrote:
> It seems to me that while PFS is an excellent back-stop against NSA
> having/deriving a website RSA key, it does *nothing* to prevent the kind of
>    "cooperative endpoint" scenario that I've seen discussed in other
> forums, prompted by the latest revelations about what NSA has been up to.


But does it matter much? A cooperative endpoint can give plaintext no 
matter what encryption is used, not just session keys.

Okay, that might be a little harder to do in bulk - but perhaps not that 
much harder, depending on circumstances.

> But if your fave website (gmail, your bank, etc) is disclosing the
> session-key(s) to the NSA, or has deliberately-weakened session-key
> negotiation in
>    some way, then PFS doesn't help you.
> I agree that if the scenario is "NSA has a database of RSA keys of
> 'popular sites'" then PFS helps tremendously.  But if the scenario goes
> deeper
>    into the "cooperative endpoint" territory, then waving the PFS flag
> is perhaps like playing the violin on the deck of the Titantic.
> Do we now strongly suspect that NSA have a flotilla of TWIRL (or
> similar) machines, so that active cooperation of websites isn't strictly
> necessary
>    to derive their (weaker) RSA secret keys?

Maybe. Or maybe they have broken (the NIST curves for) ECDHE. Or maybe 
it's something else.

Whatever, I don't think they would be asking for $5.2 billion plus (for 
comparison, BULLRUN has an annual budget of $280 million) to spend on 
developing "advanced cryptanalytic capabilities" for which it is useful 
to "shape the worldwide cryptography marketplace to make it more 
tractable to" unless it was against some sort of key establishment 
mechanism in SSL/TLS.

I can't think of any other target which is worth that much money. Okay, 
maybe I'm ignoring the "never underestimate what the enemy is willing to 
spend" rule here, but..

Breaking a cipher like AES, 3DES or RC4 wouldn't give them nearly as 
much access to plaintext as breaking a KEM - they would have to break 
each ciphertext individually, whereas they would only need to break a 
KEM once.

And most of their interception is passive, they just listen - you 
generally need at least one plaintext/ciphertext pair to break a cipher 
and find a session key, and most often they don't have the plaintext, 
just the ciphertext.

You just need the right math (and/or maybe some input into curve 
choices) to break a PK KEM, and find *all* the session keys it is used for.

(the $5.2 billion figure is from a NSA request for additional 
congressional funding for "exciting new cryptanalytic capabilities" made 
a few years ago, and leaked by a congressman)

-- Peter Fairbrother

More information about the cryptography mailing list