[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Adam Back adam at cypherspace.org
Thu Jul 4 11:56:51 EDT 2013

Forward secrecy is exceedingly important security property.  Without it an
attacker can store encrypted messages via passive eavesdropping, or court
order an any infrastructure that records messages (advertised or covert) and
then obtain the private key via burglary, subpoena, coercion or
software/hardware compromise.

The fact that the user couldnt decrypt the traffic even if he wanted to as
he automatically no longer has the keys, is extremely valuable to the
overall security for casual, high assurance and after-the-fact security (aka

In my view all non-forward-secret ciphersuits should be deprecated.

(The argument that other parts of the system are poorly secured, is not an
excuse; and anyway their failure modes are quite distinct).

Btw DH is not the only way to get forward secrecy; ephemeral (512-bit) RSA
keys were used as part of the now-defunct export ciphers, and the less well
known fact that you can extend forward secrecy using symmetric key one way
functions hash function k' = H(k), delete k.

DH also provides forward security (bacward secrecy?) its all a misnomer but
basically recovery of security, if decryption keys are compromised, but the
random number generator is still secure.  (And auth keys presumably.)

The fact that forward secrecy is secure against passive adversaries even
with posession of authenticating signature keys, also ups the level of
attack required to obtaining plaintext.  A MITM is something harder to
achieve at large scale, and without detection, in the face of compromised
CAs and so on.  So that is another extremely valuable functionality provided
by DH.

Dont knock DH - it provides multiple significant security advantages over
long-live keys.  All comms that is not necessarily store and forward should
be using it.


On Thu, Jul 04, 2013 at 11:16:21AM -0400, Thierry Moreau wrote:
>Thanks to Nico for bringing the focus on DH as the central ingredient 
>of PFS.
>Nico Williams wrote:
>>But first we'd have to get users to use cipher suites with PFS.  We're
>>not really there.
>Perfect forward secrecy (PFS) is an abstract security property 
>defined because Diffie-Hellman (DH) -- whatever flavor of it -- 
>provides it.
>As a reminder, PFS prevents an adversary who gets a copy of a 
>victim's system state at time T (long term private keys), then *only* 
>eavesdrops the victim's system protocol exchanges at any time T' that 
>is past a session key renegotiation (hint: the DH exchange part of 
>the renegotiation bars the passive eavesdropper).
>It's nice for us cryptographers to provide such protection. But its 
>incremental security appears marginal.
>So, is it really *needed* by the users given the state of client 
>system insecurity?
>I would rather get users to raise their awareness and self-defense 
>against client system insecurity (seldom a cryptographer 
>- Thierry Moreau

More information about the cryptography mailing list