On 11/07/17 21:03, Ted Lemon wrote: > Ah, you mean the first time the attack happens in the wild.
Well, the first time it's detected in the wild. > Sure, I > can see that, but that gains the attacker no real advantage over just > exfiltrating all the keys. I agree. I think one can actually generalise here and argue that there's no value in new standards for bad crypto, only in standards for current BCP crypto. (On the basis that if it's crap crypto there's too much damage potential in the homogeneous environment created by a successful standard.) > Once you make the number of keys large > enough to be hard to detect, you have a really big key management > problem. Not necessarily. I'd bet folks would invent proprietary ways of avoiding detection, that deviate from the "standard" and that perhaps make crypto worse all around. Say by deriving secrets from some function f(exfiltrated-secret, time, count) for a small counter or some such and having the decryptor of the wiretapped packets hunt a bit for the right key. > Might as well just make it a logging problem. So we've > forced them to do the thing that makes pervasive monitoring hard and > point monitoring easy. I call that a win. > > Note that if we took a distributed approach to discovering key reuse, > it would be almost impossible for any large site to conceal. I would bet there are ways to hide from that. Cheers, S. PS: There are also genuine performance reasons why the same DH public might be re-used in some cases, so there would be false positives in a survey to consider as well.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
