From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 13 Mar 1996 07:14:50 +0800
To: frantz@netcom.com (Bill Frantz)
Subject: Re: Remailer passphrases
In-Reply-To: <199603121853.KAA28808@netcom8.netcom.com>
Message-ID: <199603121951.OAA02237@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Bill Frantz writes:
> One of the reasons classical (government) crypto users change keys
> frequently is to minimize the amount of data compromised by a broken key. 
> We keep hearing about NSA decrypting 20 year old cyphertext and showing
> more of the workings of the atomic spy rings operating in the 40s and 50s. 
> If an opponent can rubber hose the key, her job is easy.  If she has to
> perform cryptoanalysis, it is much harder.  Remailers should regularly
> change their keys to avoid compromising previously recorded traffic.  (They
> can have a long lived key for signing their traffic keys.)

Signed Diffie-Hellman key exchanges have the property known as
"Perfect Forward Secrecy". Even if the opponent gets your public keys
it still will not decrypt any traffic for him at all -- it just lets
him pretend to be you. Thats one reason why protocols like Photuris
and Oakley use the technique.

Perry