Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Eugen Leitl eugen at
Fri Jul 5 01:58:53 PDT 2013

----- Forwarded message from Adam Back <adam at> -----

Date: Thu, 4 Jul 2013 20:33:50 +0200
From: Adam Back <adam at>
To: Thierry Moreau <thierry.moreau at>
Cc: Crypto discussion list <cryptography at>
Subject: Re: [cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related
User-Agent: Mutt/1.5.21 (2010-09-15)

I do not think it is a narrow difference.  End point compromise via
subpoena, physical seizing, or court mandated disclosure are far different
things than pre-emptive storing and later decryption.  The scale at which a
society will do them, and tolerate doing them given their inherently
increased visibility is much curtailed.  Trying to do wide scale MITM is
much harder, than hoovering ciphertext and then after the fact obtaining
keys by whatever method is expedient, legal/extra-legal, secret
particularized warrant, secret general warrants, government authorized
malware, etc.  All of these things are apparently happening on scale larger
than authorized by society.

Having to physically seize systems, issue individualized subpoenas to a
generally public court process based on articulated suspicion creates a
natural balance vs general warrants that the US rightly fought a revolution
against my ancesters, the British over.

Basically unless you think PRISM is a good idea, you should use DH.

On Thu, Jul 04, 2013 at 12:37:40PM -0400, Thierry Moreau wrote:
>> (The argument that other parts of the system are poorly secured, is not an
>> excuse; and anyway their failure modes are quite distinct).
> In my opinion, when you consider the casual user needs, I see those
> arguments not at a top priority.

Subpoena resistance is a pretty high priority for end user systems.

>> Btw DH is not the only way to get forward secrecy; ephemeral (512-bit) RSA
>> keys were used as part of the now-defunct export ciphers, and the less well
>> known fact that you can extend forward secrecy using symmetric key one way
>> functions hash function k' = H(k), delete k.
> Not completely by this counterexample: generate k, suffer from an
> enemy copy of system state including k, let k'=H(k), delete k', use
> k' in dangerous confidence. I mean the textbook PFS definition is
> not satisfied by k'=H(k).

I think you are confusing forward secrecy (aka backward security) with
backward secrecy (forward security).  Ross Anderson tried to improve things
with his forward secure/backward secure alternative terminology:

Forward secrecy is a bad term from a mnemonic point of view, I think
Anderson's forward/backward security terms are better.  EDH provides both,
k'=H(k) provides only backward security (aka forward secrecy).  The point is
you do both; you can computationally afford to do k'=H(k) with an agile
key-schedule cipher like AES every minute or whatever.

cryptography mailing list
cryptography at

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the liberationtech mailing list