[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])
thierry.moreau at connotech.com
Thu Jul 4 11:16:21 EDT 2013
Thanks to Nico for bringing the focus on DH as the central ingredient of
Nico Williams wrote:
> But first we'd have to get users to use cipher suites with PFS. We're
> not really there.
Perfect forward secrecy (PFS) is an abstract security property defined
because Diffie-Hellman (DH) -- whatever flavor of it -- provides it.
As a reminder, PFS prevents an adversary who gets a copy of a victim's
system state at time T (long term private keys), then *only* eavesdrops
the victim's system protocol exchanges at any time T' that is past a
session key renegotiation (hint: the DH exchange part of the
renegotiation bars the passive eavesdropper).
It's nice for us cryptographers to provide such protection. But its
incremental security appears marginal.
So, is it really *needed* by the users given the state of client system
I would rather get users to raise their awareness and self-defense
against client system insecurity (seldom a cryptographer achievement).
- Thierry Moreau
More information about the cryptography