D-H Forward Secrecy for E-Mail?

[Tim May <tcmay@got.net>]

At 2:48 AM -0700 10/12/97, Adam Back wrote:

>Once you acknowledge that it is more secure to have short lived
>communication keys (which in my view it very clearly is), it should be
...


Just what are some of the issues with us getting D-H-type perfect forward
secrecy with something like e-mail? I assume this must be possible, of
course, as D-H is used in just these ways. (The Comsec 3DES phone I have
does this, of course.) (To repeat what has already been said, forward
secrecy means some of the important keys are not kept or stored, and so a
subpoena at some future time to produce the keys used in a communication is
pointless. Cf. Schneier for more.)

First and foremost as a requirement would be the need for a back-and-forth
communication, in a real-time or nearly real-time mode. This rules out
conventional e-mail with its long a variable latencies for delivery. (Not
to mention diverse clients and their inability to respond automatically!)

But IRC, chat rooms, Internet telephony, etc., are all common. With
latencies of ~seconds, or even less.

I picture conventional e-mail being replaced, for this application, with
this kind of system. Maybe D-H forward secrecy systems already exist....

Forward secrecy might be arrangable even with long-latency links...it seems
to me. (Through a series of links, compute and store the D-H parameters,
then use them with conventional e-mail for the "payload" message?)

--Tim May


The Feds have shown their hand: they want a ban on domestic cryptography
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^2,976,221   | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."