[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Forward secrecy in spiped
On Thu, Apr 24, 2014 at 4:04 PM, Colin Percival <cperciva@tarsnap.com> wrote:
> If you receive y=1 from a protocol-compliant endpoint, it is running with
> FPS turned off.
You're right. I had to think for a bit to come up with a proof -- for
anyone else who is wondering, it follows from there being no
non-trivial square roots of unity mod p for prime p, and from the fact
that we're working in the group of quadratic residues mod p.
> Protocol non-compliant endpoints could hardcode other values, e.g., y=2,
> which would also have the effect of breaking FPS, but of course non-compliant
> endpoints could do all sorts of things to deliberately leak keys.
Yeah, there's not much we can do to prevent that.
> It's certainly plausible as an anti-foot-shooting mechanism. It doesn't gain
> you any theoretical security (since it can be circumvented), but it might still
> be useful in practice.
>
> Want to send me a patch?
Sure, I can take a crack at it. I'll let you (and the list) know when
I have something.
-- Fred