[Cryptography] PRISM-Proofing and PRISM-Hardening

Perry E. Metzger perry at piermont.com
Tue Sep 17 17:01:12 EDT 2013

On Tue, 17 Sep 2013 16:52:26 -0400 John Kemp <john at jkemp.net> wrote:
> On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker
> <hallam at gmail.com> wrote:
> > The objective of PRISM-hardening is not to prevent an
> > attack absolutely, it is to increase the work factor for the
> > attacker attempting ubiquitous surveillance.
> > 
> > Examples include:
> > 
> > Forward Secrecy: Increases work factor from one public key per
> > host to one public key per TLS session.
> How does that work if one of PRISMs objectives is to compromise
> data _before_ it is transmitted by subverting its storage in one
> way or another?
> Forward secrecy does nothing to impact the "work factor" in that
> case.

So, PFS stops attackers from breaking all communications by simply
stealing endpoint RSA keys. You need some sort of side channel or
reduction of the RNG output space in order break an individual
communication then.

(Note that this assumes no cryptographic breakthroughs like doing
discrete logs over prime fields easily or (completely theoretical
since we don't really know how to do it) sabotage of the elliptic
curve system in use.)

Given that many real organizations have hundreds of front end
machines sharing RSA private keys, theft of RSA keys may very well be
much easier in many cases than broader forms of sabotage.

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list