[Discuss] KeePassX

[gaf at blu.org (Jerry Feldman)]

Agreed. But, breaking the session key only works for a single message or 
a single session. If they want to target a specific individual, breaking 
the RSA/DSA keys will give them access to all encrypted messages. 
(within the context is that a sent message is encrypted by the 
recipient's public key), so to make this bidierctional they need to 
break 2 keys, so the job gets more difficult. Breaking the session key 
works if they want to look at random messages, but breaking the RSA/DSA 
keys woprks better when they have a specific target in mind.

On 08/13/2013 05:40 PM, Richard Pieri wrote:
> John Abreau wrote:
>> Nope, sorry, each individual message has its own unique session key.
>> Cracking the session key on one particular message tells you nothing
>> about the session key on subsequent messages.
>
> If I decrypt the message by breaking the session key then yes, I can 
> only decrypt that one message.
>
> But, if I can do this then I know what the session key is. This means 
> that I have a 100% known plain-text correspondence with the encrypted 
> session key. This may make it easier to attack a given RSA or DSA key 
> pair.
>
> Attacking the RSA or DSA asymmetric keys directly is believed to be 
> more difficult than attacking the session key. Given that the NSA has 
> approved both for commercial use, just as they have approved AES for 
> commercial use, I assume that they are aware of exploitable weaknesses 
> in both.
>


-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66  C0AF 7CEA 30FC 3BC1 EB90