Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Feds put heat on Web firms for master encryption keys

Owen Barton owen at
Thu Jul 25 13:45:34 PDT 2013

On Thu, Jul 25, 2013 at 12:05 PM, Andy Isaacson <adi at> wrote:

> On Thu, Jul 25, 2013 at 04:41:43AM -0700, Owen Barton wrote:
> > > > If a government
> > > > secretly aquired the SSL private keys for a site, and the site
> > > > continued using them, then no convergence notary would know any
> > > > cause not to vouch for the key.
> > >
> > > What helps here is perfect forward secrecy.
> >
> > Could you describe how PFS helps here - the article didnt mesh with my
> > understanding here?
> >
> > My understanding was that PFS was primarily a defense against
> > (non-real-time) cryptographic attacks on stored traffic - if PFS is not
> > used the attacker could decrypt much more traffic with the same compute
> > power, since the same session key is used for much more data, wheras with
> > PFS the session is tiny, meaning that the attacker only gets a tiny bit
> of
> > data for the same level of juice.
> That's not an accurate simplification of how ECDHE key exchange works
> under the eavesdropper+compelled-key-disclosure threat model.
> non-PFS:
> Under standard RSA key exchange in TLS, the "session key" is encrypted
> under a public/private keypair and sent over the link.
> PFS:
> Under ECDHE key exchange in TLS, the two sides compute a shared secret
> which is never sent over the link.  This is forward secure because once
> the session key is deleted, there is not enough information to
> reconstruct the session key, even given the private key.
> Under RSA (non-"PFS"), a recording of the encrypted session can be
> decrypted by the private key by recovering the session key.
> Given the private key of a non-PFS session, decrypting a recording is
> the same amount of work as participating in the encrypted session.
> (Almost no work.)
> Given the private key of a PFS session, decrypting the recording is the
> same amount of work as brute-forcing the AES session key.  (An enormous
> amount of work, far beyond the expected ability of Bluffdale still.)
> However, if the wiretapper has the private key ahead of time and
> performs an active MITM, the wiretapper can obviously perform a
> decrypt-reencrypt hop and interpose on both PFS and non-PFS sessions.
> This is much more expensive (in terms of operational costs, man-hours,
> and risk of catastrophic disclosure of the captured private keys).

Thanks for the great explanation Andy!
I think the main thing I hadn't fully understood that the session key was
recoverable under RSA.

- Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list