[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

james hughes hughejp at mac.com
Sat Sep 7 18:57:45 EDT 2013

On Sep 7, 2013, at 1:50 PM, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:

> On 07/09/13 02:49, Marcus D. Leech wrote:
>> It seems to me that while PFS is an excellent back-stop against NSA
>> having/deriving a website RSA key, it does *nothing* to prevent the kind of
>>   "cooperative endpoint" scenario that I've seen discussed in other
>> forums, prompted by the latest revelations about what NSA has been up to.
> True.
> But does it matter much? A cooperative endpoint can give plaintext no matter what encryption is used, not just session keys.


Cooperative endpoints offer no protection to any cryptography because they have all the plaintext. One can argue that the subpoenas are just as effective as cooperative endpoints. The reductio ad absurdum argument is that PFS is not good enough in the face of subpoenas? I don't think cooperative endpoints is a relevant point. 

Passive monitoring and accumulation of cyphertext is a good SIGINT strategy. Read about the VENONA project. 
> Most decipherable messages were transmitted and intercepted between 1942 and 1945. […] These messages were slowly and gradually decrypted beginning in 1946 and continuing […] through 1980,

Clearly, the traffic was accumulated during which time there was no known attack.

While reusing OTP is not the fault here, PFS makes recovering information with future key recovery harder, since a single key being recovered with whatever means, does not make old traffic more vulnerable. 

This is not a new idea. The separation of key exchange from authentication allows this. A router I did the cryptography for (first produced by Network Systems Corporation in the 1994) was very careful not to allow any old (i.e. recorded) traffic to be vulnerable even if one or both end points were stolen and all the key material extracted. The router used DH (both sides ephemeral) for the key exchange and RSA for authentication and integrity. This work actually predates IPSEC and is still being used.

I am getting from the list that there have been or are arguments that doing two public key operations is too much. Is it really? 

PFS may not be a panacea but does help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130907/55204665/attachment.html>

More information about the cryptography mailing list