[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

Bill Stewart bill.stewart at pobox.com
Tue Sep 10 15:56:16 EDT 2013

At 11:33 AM 9/6/2013, Peter Fairbrother wrote:
>However, while the case for forward secrecy is easy to make, 
>implementing it may be a little dangerous - if NSA have broken ECDH then
>using it only gives them plaintext they maybe didn't have before.

I thought the normal operating mode for PFS is that there's an 
initial session key exchange (typically RSA) and authentication,
which is used to set up an encrypted session, and within that session 
there's a DH or ECDH key exchange to set up an ephemeral session key,
and then that session key is used for the rest of the session.
If so, even if the NSA has broken ECDH, they presumably need to see 
both Alice and Bob's keyparts to use their break,
which they can only do if they've cracked the outer session (possibly 
after the fact.)
So you're not going to leak any additional plaintext by doing ECDH 
compared to sending the same plaintext without it.

>One point which has been mentioned, but perhaps not emphasised 
>enough - if NSA have a secret backdoor into the main NIST ECC 
>curves, then even if the fact of the backdoor was exposed - the 
>method is pretty well known - without the secret constants no-one 
>_else_ could break ECC.
>So NSA could advocate the widespread use of ECC while still 
>fulfilling their mission of protecting US gubbmint communications 
>from enemies foreign and domestic. Just not from themselves.

Yep.  It's definitely the fun kind of backdoor to use.

More information about the cryptography mailing list