[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

Bill Stewart bill.stewart at pobox.com
Wed Sep 11 14:40:47 EDT 2013

At 10:39 AM 9/11/2013, Phillip Hallam-Baker wrote:
>Perfect Forward Secrecy is not perfect. In fact it is no better than 
>regular public key. The only difference is that if the public key 
>system is cracked then with PFS the attacker has to break every 
>single key exchange and not just the keys in the certificates and if 
>you use an RSA outer with an ECC inner then you double the 
>cryptanalytic cost of the attack (theory as well as computation).

I wouldn't mind if it had been called Pretty Good Forward Secrecy 
instead, but it really is a lot better than regular public key.
The main difference is that cracking PFS requires breaking every 
single key exchange before the attack using cryptanalysis, while 
cracking the RSA or ECC outer layer can be done by compromising the 
stored private key, which is far easier to do using subpoenas or 
malware or rubber hoses than cryptanalysis.

(Of course, any messages that were saved by the sender or recipient 
can still be cracked by non-cryptanalytic techniques as well, but 
that's a separate problem.)

More information about the cryptography mailing list