On Mon, 2014-03-31 at 22:34 +0200, Pavel Kankovsky wrote:
On Mon, 31 Mar 2014, Nikos Mavrogiannopoulos wrote:
> I don't understand what do you mean using SSH and TLS for 10 or more
> years, but we have an expectation of secrecy of data for 10 or more
> years. When you do a TLS or SSH session you don't expect that your
> transferred data will be leaked within a few months or a year later.
Let me repeat one of my footnotes:
(***) If long-term secrecy is desired for data transmitted using a
transport protocol (TLS, SSH), one should rely on perfect forward secrecy
provided by the use of ephemeral (EC)DH keys rather than on a server
private key staying confidential for a long time (not broken and not
leaked or stolen). Unfortunately, the support of ephemeral DH in many
programs is, ahem, questionable...
This is wrong as you present it. You cannot substitute forward secrecy
as a replacement for good parameters. A 512-bit DHE key exchange
provides forward secrecy but does not provide secrecy. I can break it
and decrypt all data. In all cases you need parameters that reflect the
security level required, whether in forward or non-forward secrecy.
regards,
Nikos