[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Trevor Perrin trevp at trevp.net
Fri Jul 5 04:23:32 EDT 2013

On Thu, Jul 4, 2013 at 11:33 AM, Adam Back <adam at cypherspace.org> wrote:
>  Not completely by this counterexample: generate k, suffer from an enemy
>> copy of system state including k, let k'=H(k), delete k', use k' in
>> dangerous confidence. I mean the textbook PFS definition is not satisfied
>> by k'=H(k).
> I think you are confusing forward secrecy (aka backward security) with
> backward secrecy (forward security).  Ross Anderson tried to improve things
> with his forward secure/backward secure alternative terminology:
> http://www.cypherspace.org/**adam/nifs/refs/forwardsecure.**pdf<http://www.cypherspace.org/adam/nifs/refs/forwardsecure.pdf>
> Forward secrecy is a bad term from a mnemonic point of view, I think
> Anderson's forward/backward security terms are better.  EDH provides both,
> k'=H(k) provides only backward security (aka forward secrecy).

Good distinction but this terminology is all pretty bad.

What about something more self-explanatory, like "back-decryption
resistance" / "forward-decryption resistance"?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130705/90dcf41c/attachment.html>

More information about the cryptography mailing list