[cryptography] The NSA Is Building the Country's Biggest Spy Center (Watch What You Say)

Adam Back adam at cypherspace.org
Fri Mar 23 09:52:36 EDT 2012

You know PFS while a good idea, and IMNSO all non-PFS ciphersuites should be
deprecated etc, PFS just ensures the communicating parties delete the key
negotiation emphemeral private keys after use.

Which does nothing intrinsic to prevent massive computation powered 1024
discrete log on stored PFS traffic, other than to the limited extent of
creating a fresh public key to attack on each session.

A secondary point if you are concerned about after-the-fact computational
power overtaking your stored ciphertext (PFS or not) is to avoid using
shared public crypto parameters for discrete log based cryptosystems.

Shared public parameters are also bad because there can be some reusable
precomputation or shared parameter specific optimized hardware.  The flip
side is the parameter generation for the EC DL cryptosystems is so complex
that it will probably be safer for most purposes to use a standardized
parameter set, than to generate your own, if your library even supports it.


On Fri, Mar 23, 2012 at 08:42:29AM -0400, dan at geer.org wrote:
>Jdean at lsuhsc.edu writes, in part:
> > Even if the intercepted communication is AES encrypted and unbroken
> > today, all that stored data will be cracked some day. Then it too
> > can be data-mined.
>What percentage of acquirable/storable traffic do you
>suppose actually exhibits perfect forward secrecy?
>...those who control the past control the future.
>       --  George Orwell
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list