[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])
trevp at trevp.net
Fri Jul 5 04:23:32 EDT 2013
On Thu, Jul 4, 2013 at 11:33 AM, Adam Back <adam at cypherspace.org> wrote:
> Not completely by this counterexample: generate k, suffer from an enemy
>> copy of system state including k, let k'=H(k), delete k', use k' in
>> dangerous confidence. I mean the textbook PFS definition is not satisfied
>> by k'=H(k).
> I think you are confusing forward secrecy (aka backward security) with
> backward secrecy (forward security). Ross Anderson tried to improve things
> with his forward secure/backward secure alternative terminology:
> Forward secrecy is a bad term from a mnemonic point of view, I think
> Anderson's forward/backward security terms are better. EDH provides both,
> k'=H(k) provides only backward security (aka forward secrecy).
Good distinction but this terminology is all pretty bad.
What about something more self-explanatory, like "back-decryption
resistance" / "forward-decryption resistance"?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography