[52090] in Cypherpunks
Re: Remailer passphrases
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Mar 13 16:24:20 1996
To: Bill Stewart <stewarts@ix.netcom.com>
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Tue, 12 Mar 1996 23:37:47 PST."
<199603130737.XAA22807@ix15.ix.netcom.com>
Reply-To: perry@piermont.com
Date: Wed, 13 Mar 1996 11:56:50 -0500
From: "Perry E. Metzger" <perry@piermont.com>
Bill Stewart writes:
> perry@piermont.com replied
> >Signed Diffie-Hellman key exchanges have the property known as
> >"Perfect Forward Secrecy". Even if the opponent gets your public keys
> >it still will not decrypt any traffic for him at all -- it just lets
> >him pretend to be you. Thats one reason why protocols like Photuris
> >and Oakley use the technique.
>
> DH key exchange is really only Exponentially Good Forward Secrecy,
> and in its primary use (exchanging keys for symmetric-key algorithms)
> the system is at best Good Enough Forward Secrecy.
No, signed D-H like STS is in fact perfect forward secrecy in the
sense that breaking the RSA keys gives you no information about the
session keys, and breaking one of the D-H exchanges does not (in
theory) give you any information about any of the others.
Perry
