[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Trevor Perrin trevp at trevp.net
Fri Jul 5 04:23:32 EDT 2013


On Thu, Jul 4, 2013 at 11:33 AM, Adam Back <adam at cypherspace.org> wrote:
>
>  Not completely by this counterexample: generate k, suffer from an enemy
>> copy of system state including k, let k'=H(k), delete k', use k' in
>> dangerous confidence. I mean the textbook PFS definition is not satisfied
>> by k'=H(k).
>>
>
> I think you are confusing forward secrecy (aka backward security) with
> backward secrecy (forward security).  Ross Anderson tried to improve things
> with his forward secure/backward secure alternative terminology:
>
> http://www.cypherspace.org/**adam/nifs/refs/forwardsecure.**pdf<http://www.cypherspace.org/adam/nifs/refs/forwardsecure.pdf>
>
> Forward secrecy is a bad term from a mnemonic point of view, I think
> Anderson's forward/backward security terms are better.  EDH provides both,
> k'=H(k) provides only backward security (aka forward secrecy).


Good distinction but this terminology is all pretty bad.

What about something more self-explanatory, like "back-decryption
resistance" / "forward-decryption resistance"?


Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130705/90dcf41c/attachment.html>


More information about the cryptography mailing list