[Cryptography] Fwd: freedom-to-tinker.com: How is NSA breaking so much crypto?

[Phillip Hallam-Baker]

On Sat, Oct 17, 2015 at 3:00 PM, Natanael <natanael.l at gmail.com> wrote:
>
> Den 17 okt 2015 01:36 skrev "Phillip Hallam-Baker" <phill at hallambaker.com>:
>> If you don't use a pre-computed prime you have to check the prime
>> presented every time and that is something we can't trust people to do
>> right.
>>
>> The solution is to compute the session key so that it is a product of
>> the pre-master secret and the ephemeral exchange.
>>
>> What the protocol does right now is generate a strong shared secret
>> (s1) and then use it to authenticate a DH exchange with shorter keys
>> producing a weaker shared secret (s2).
>>
>> The problem is eliminated if w use H(s1 + s2) as the shared secret.
>> Which is what I proposed at the time and got told I was being a
>> trouble maker, unhelpful, etc.
>
> Doesn't this attack still work in one way then? Because here it is s2 that
> provides the PFS property, but that's the value that can still be attacked
> this way. So then you just need to crack the prime, and then start
> collecting private keys for the certificates of your targets.

If you could collect the private keys you could do a MITM attack.

> So the difference is that you now need to both crack DH and also get the
> private key, not just one or the other (getting the private key in non-PFS,
> cracking DH in standard PFS). So less convenient and harder to attack on a
> large scale, but NSA still have plenty of zero-days for that.

That really isn't as easy as you suggest. But in general, every
cryptosystem should be designed so that even if one component breaks,
the system remains secure.

When using PFS with ECC keys you probably want to use a 255bit PFS
exchange with a 448 bit key for performance but you don't want to
reduce your overall security level.