> - From your wikipedia reference:
>
> "In an authenticated key-agreement protocol that uses public key
> cryptography, perfect forward secrecy (or PFS) is the property
> that ensures that a session key derived from a set of long-term
> public and private keys will not be compromised if one of the
> private keys is compromised in the future."
>
> I assume if the attacker has the public and private keys from not just
> one, but both ends, that PFS is not an obstacle.
No, actually I don't think that's the case, though it could depend on
the protocol specifics. An after-the-fact offline attack normally
wouldn't be possible without some knowledge of the session key, or of
just one (out of two) of the DH secrets computed, but none of these are
ever sent over the wire. The DH exchange doesn't have to depend on the
main secret keys at all. Once again, a real-time attack is certainly
doable by simply faking the exchange with either or both ends as they
set up the session key.
HTH,
tim
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on Jul 10 2008
Intro
