[7018] in cryptography@c2.net mail archive
Re: Perfect Forward Security def wanted
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri May 5 18:06:28 2000
From: "Steven M. Bellovin" <smb@research.att.com>
To: John Kelsey <kelsey.j@ix.netcom.com>
Cc: William Allen Simpson <wsimpson@greendragon.com>, cryptography@c2.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 05 May 2000 16:11:17 -0400
Message-Id: <20000505201121.1602035DC2@smb.research.att.com>
In message <4.1.20000504185552.00922f00@email.plnet.net> <4.1.20000504185552.00
922f00@email.plnet.net>, John Kelsey writes:
>At 02:16 PM 5/4/00 -0400, William Allen Simpson wrote:
>>In response to Perry's editorial comment:
>
>...
>>Once the private RSA key is _destroyed_ PFS is attained.
>
>Right. The thing is, usually you think in terms of generating a new key
>for every communication session and then discarding the key at the end of
>the session. This is a lot cheaper for Diffie-Hellman keys than for RSA
>keys, but you can certainly do it in principle.
Right. I've been known to describe ssh's approach -- hourly, generate a new,
relatively-short RSA key for session key exchange -- as "imperfect forward
secrecy", since if you strike at the right time you can read the traffic.
--Steve Bellovin
