[Cryptography] PRISM-Proofing and PRISM-Hardening

Perry E. Metzger perry at piermont.com
Wed Sep 18 08:05:32 EDT 2013


On Tue, 17 Sep 2013 23:48:40 -0700 "Christian Huitema"
<huitema at huitema.net> wrote:
> > Given that many real organizations have hundreds of front end
> > machines sharing RSA private keys, theft of RSA keys may very
> > well be much easier in many cases than broader forms of sabotage.
> 
> Or we could make it easy to have one separate RSA key per front
> end, signed using the main RSA key of the organization.

Certainly, though the protection against active attacks doesn't
improve much in that situation. Merely doing DNS cache preloading
(I'd say poisoning but the host you're being pointed at would be
entirely legitimate!) or some other attacks could force a target to
use a particular server at a site, perhaps the one of several front
ends where you had stolen a key. It is hard for DNSSEC to defend
against this given that the DNS data is real, and as active attacks
go, it is quite cheap!

(This also makes various forms of certificate pinning/witnessing
harder, though not necessarily fatally so.)

I don't disagree with your point, of course. I just think defense in
depth requires that we consider all these possibilities and force
the attacker to spend as much as possible to get access to traffic
data and plaintext, and to do it only for single targets.

Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list