Search Mailing List Archives
[liberationtech] Feds put heat on Web firms for master encryption keys
owen at owenbarton.com
Thu Jul 25 13:45:34 PDT 2013
On Thu, Jul 25, 2013 at 12:05 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Thu, Jul 25, 2013 at 04:41:43AM -0700, Owen Barton wrote:
> > > > If a government
> > > > secretly aquired the SSL private keys for a site, and the site
> > > > continued using them, then no convergence notary would know any
> > > > cause not to vouch for the key.
> > >
> > > What helps here is perfect forward secrecy.
> > Could you describe how PFS helps here - the article didnt mesh with my
> > understanding here?
> > My understanding was that PFS was primarily a defense against
> > (non-real-time) cryptographic attacks on stored traffic - if PFS is not
> > used the attacker could decrypt much more traffic with the same compute
> > power, since the same session key is used for much more data, wheras with
> > PFS the session is tiny, meaning that the attacker only gets a tiny bit
> > data for the same level of juice.
> That's not an accurate simplification of how ECDHE key exchange works
> under the eavesdropper+compelled-key-disclosure threat model.
> Under standard RSA key exchange in TLS, the "session key" is encrypted
> under a public/private keypair and sent over the link.
> Under ECDHE key exchange in TLS, the two sides compute a shared secret
> which is never sent over the link. This is forward secure because once
> the session key is deleted, there is not enough information to
> reconstruct the session key, even given the private key.
> Under RSA (non-"PFS"), a recording of the encrypted session can be
> decrypted by the private key by recovering the session key.
> Given the private key of a non-PFS session, decrypting a recording is
> the same amount of work as participating in the encrypted session.
> (Almost no work.)
> Given the private key of a PFS session, decrypting the recording is the
> same amount of work as brute-forcing the AES session key. (An enormous
> amount of work, far beyond the expected ability of Bluffdale still.)
> However, if the wiretapper has the private key ahead of time and
> performs an active MITM, the wiretapper can obviously perform a
> decrypt-reencrypt hop and interpose on both PFS and non-PFS sessions.
> This is much more expensive (in terms of operational costs, man-hours,
> and risk of catastrophic disclosure of the captured private keys).
Thanks for the great explanation Andy!
I think the main thing I hadn't fully understood that the session key was
recoverable under RSA.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech