[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

Marcus D. Leech mleech at ripnet.com
Sat Sep 7 23:16:22 EDT 2013 

On 09/07/2013 06:57 PM, james hughes wrote:
>
> PFS may not be a panacea but does help.
>
There's no question in my mind that PFS helps.  I have, in the past, 
been very in much favor of turning on PFS support in various protocols, 
when it has
   been available.  And I fully understand what the *purpose* of PFS is.

But it's not entirely clear to me that it will help enough in the 
scenarios under discussion.  If we assume that mostly what NSA are doing 
is acquiring a site
    RSA key (either through "donation" on the part of the site, or 
through factoring or other means), then yes, absolutely, PFS will be a 
significant roadblock.
    If, however, they're getting session-key material (perhaps through 
back-doored software, rather than explicit cooperation by the target 
website), the
    PFS does nothing to help us.  And indeed, that same class of 
compromised site could just as well be leaking plaintext.  Although 
leaking session
    keys is lower-profile.

I think all this amounts to a preamble for a call to think deeply, 
again, about end-to-end encryption.    I used OTR on certain chat 
sessions, for example,
   because the consequences of the "server in the middle" disclosing the 
contents of those conversations protected by OTR could have dire 
consequences
   for one of the parties involved.

Jeff Schiller pointed out a little while ago that the crypto-engineering 
community have largely failed to make end-to-end encryption easy to 
use.  There are
   reasons for that, some technical, some political, but it is 
absolutely true that end-to-end encryption, for those cases where "end 
to end" is the obvious
   and natural model, has not significantly materialized on the 
Internet.  Relatively speaking, a handful of crypto-nerds use end-to-end 
schemes for e-mail
   and chat clients, and so on, but the vast majority of the Internet 
user-space?  Not so much.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130907/bebbd5f9/attachment.html>

More information about the cryptography mailing list