Hacker News new | past | comments | ask | show | jobs | submit login

My understanding is that if they're using Perfect Forward Security it doesn't matter, because unless you're modifying the traffic in flow (which is much harder to do secretly) then it doesn't matter if someone-else has the private key, they won't be able to decrypt the data in any case.



How do you expect to get the nonce across the network without the NSA getting it?


I'm no expert in PFS in TLS, but there are various key-agreement protocols that allows parties to establish a secure key over an insecure channel.

I believe the way PFS works is that it uses RSA to verify identity and then Diffie-Hellman to establish keys.

If you're only able to passively intercept data (i.e. you can't impersonate the server and MITM) then you're unable to discover what the key established by DH is.

(incidentally nonces are generally only relevant for preventing replay attacks; the nonce doesn't play a part in passive defence)


> I believe the way PFS works is that it uses RSA to verify identity and then Diffie-Hellman to establish keys.

It's the other way around. First you do the DH and then use RSA to authenticate (a hash of) DH parameters.


This article may help explain how: http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-se...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: