[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)
bill.stewart at pobox.com
Wed Sep 11 14:40:47 EDT 2013
At 10:39 AM 9/11/2013, Phillip Hallam-Baker wrote:
>Perfect Forward Secrecy is not perfect. In fact it is no better than
>regular public key. The only difference is that if the public key
>system is cracked then with PFS the attacker has to break every
>single key exchange and not just the keys in the certificates and if
>you use an RSA outer with an ECC inner then you double the
>cryptanalytic cost of the attack (theory as well as computation).
I wouldn't mind if it had been called Pretty Good Forward Secrecy
instead, but it really is a lot better than regular public key.
The main difference is that cracking PFS requires breaking every
single key exchange before the attack using cryptanalysis, while
cracking the RSA or ECC outer layer can be done by compromising the
stored private key, which is far easier to do using subpoenas or
malware or rubber hoses than cryptanalysis.
(Of course, any messages that were saved by the sender or recipient
can still be cracked by non-cryptanalytic techniques as well, but
that's a separate problem.)
More information about the cryptography