[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Adam Back adam at cypherspace.org
Thu Jul 4 14:33:50 EDT 2013

I do not think it is a narrow difference.  End point compromise via
subpoena, physical seizing, or court mandated disclosure are far different
things than pre-emptive storing and later decryption.  The scale at which a
society will do them, and tolerate doing them given their inherently
increased visibility is much curtailed.  Trying to do wide scale MITM is
much harder, than hoovering ciphertext and then after the fact obtaining
keys by whatever method is expedient, legal/extra-legal, secret
particularized warrant, secret general warrants, government authorized
malware, etc.  All of these things are apparently happening on scale larger
than authorized by society.

Having to physically seize systems, issue individualized subpoenas to a
generally public court process based on articulated suspicion creates a
natural balance vs general warrants that the US rightly fought a revolution
against my ancesters, the British over.

Basically unless you think PRISM is a good idea, you should use DH.

On Thu, Jul 04, 2013 at 12:37:40PM -0400, Thierry Moreau wrote:
>>(The argument that other parts of the system are poorly secured, is not an
>>excuse; and anyway their failure modes are quite distinct).
>In my opinion, when you consider the casual user needs, I see those 
>arguments not at a top priority.

Subpoena resistance is a pretty high priority for end user systems.

>>Btw DH is not the only way to get forward secrecy; ephemeral (512-bit) RSA
>>keys were used as part of the now-defunct export ciphers, and the less well
>>known fact that you can extend forward secrecy using symmetric key one way
>>functions hash function k' = H(k), delete k.
>Not completely by this counterexample: generate k, suffer from an 
>enemy copy of system state including k, let k'=H(k), delete k', use 
>k' in dangerous confidence. I mean the textbook PFS definition is not 
>satisfied by k'=H(k).

I think you are confusing forward secrecy (aka backward security) with
backward secrecy (forward security).  Ross Anderson tried to improve things
with his forward secure/backward secure alternative terminology:


Forward secrecy is a bad term from a mnemonic point of view, I think
Anderson's forward/backward security terms are better.  EDH provides both,
k'=H(k) provides only backward security (aka forward secrecy).  The point is
you do both; you can computationally afford to do k'=H(k) with an agile
key-schedule cipher like AES every minute or whatever.


More information about the cryptography mailing list