[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Thierry Moreau thierry.moreau at connotech.com
Thu Jul 4 11:16:21 EDT 2013


Thanks to Nico for bringing the focus on DH as the central ingredient of 
PFS.

Nico Williams wrote:
> 
> But first we'd have to get users to use cipher suites with PFS.  We're
> not really there.
> 

Why?

Perfect forward secrecy (PFS) is an abstract security property defined 
because Diffie-Hellman (DH) -- whatever flavor of it -- provides it.

As a reminder, PFS prevents an adversary who gets a copy of a victim's 
system state at time T (long term private keys), then *only* eavesdrops 
the victim's system protocol exchanges at any time T' that is past a 
session key renegotiation (hint: the DH exchange part of the 
renegotiation bars the passive eavesdropper).

It's nice for us cryptographers to provide such protection. But its 
incremental security appears marginal.

So, is it really *needed* by the users given the state of client system 
insecurity?

I would rather get users to raise their awareness and self-defense 
against client system insecurity (seldom a cryptographer achievement).

-- 
- Thierry Moreau



More information about the cryptography mailing list