[Cryptography] In the face of "cooperative" end-points, PFS doesn't help

[james hughes]

On Sep 7, 2013, at 8:16 PM, "Marcus D. Leech" <mleech at ripnet.com> wrote:

> But it's not entirely clear to me that it will help enough in the scenarios under discussion.  If we assume that mostly what NSA are doing is acquiring a site
>    RSA key (either through "donation" on the part of the site, or through factoring or other means), then yes, absolutely, PFS will be a significant roadblock.
>    If, however, they're getting session-key material (perhaps through back-doored software, rather than explicit cooperation by the target website), the
>    PFS does nothing to help us.  And indeed, that same class of compromised site could just as well be leaking plaintext.  Although leaking session
>    keys is lower-profile.

I think we are growing closer to agreement, PFS does help, the question is how much in the face of cooperation. 

Let me suggest the following. 

With RSA, a single quiet "donation" by the site and it's done. The situation becomes totally passive and there is no possibility knowing what has been read.  The system administrator could even do this without the executives knowing. 

With PFS there is a significantly higher profile interaction with the site. Either the session keys need to be transmitted  in bulk, or the RNG cribbed. Both of these have a significantly higher profile,  higher possibility of detection and increased difficulty to execute properly. Certainly a more risky think for a cooperating site to do. 

PFS does improve the situation even if cooperation is suspect. IMHO it is just better cryptography. Why not? 

It's better. It's already in the suites. All we have to do is use it... 

I am honestly curious about the motivation not to choose more secure modes that are already in the suites?