On Mon, 2014-03-31 at 22:34 +0200, Pavel Kankovsky wrote: > On Mon, 31 Mar 2014, Nikos Mavrogiannopoulos wrote: > > > I don't understand what do you mean using SSH and TLS for 10 or more > > years, but we have an expectation of secrecy of data for 10 or more > > years. When you do a TLS or SSH session you don't expect that your > > transferred data will be leaked within a few months or a year later. > > Let me repeat one of my footnotes: > (***) If long-term secrecy is desired for data transmitted using a > transport protocol (TLS, SSH), one should rely on perfect forward secrecy > provided by the use of ephemeral (EC)DH keys rather than on a server > private key staying confidential for a long time (not broken and not > leaked or stolen). Unfortunately, the support of ephemeral DH in many > programs is, ahem, questionable... This is wrong as you present it. You cannot substitute forward secrecy as a replacement for good parameters. A 512-bit DHE key exchange provides forward secrecy but does not provide secrecy. I can break it and decrypt all data. In all cases you need parameters that reflect the security level required, whether in forward or non-forward secrecy. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
