Why is PerfectForwardSecrecy considered OK, when it has same defects as salt-less password hashing?

Question

PFS suites suffer from the same defects as any other salt-less password hashing scheme.
Why is everyone promoting Perfect Forward Secrecy (PFS) ciphersuites so fiercely?

Namely, when the group/hash weakens, then the attacker can invests into a massive pre-computation, after which individual connections/hashes can be broken with minimal additional cost. This property allows the big players to amortize the cost of the massive pre-computation over the massive ammount of cracked connections. Consequentially, it promotes mass snooping over targetted attacks.

This question is motivated by the WeakDH/LogJam paper.

EDIT, thanks @steffen-ullrich, It does not make sense to include the salt in "the secret", so the DHE equivalent of salt-less is "everyone uses the (few) same groups".

Answer 1

Salt-less password hashing is only a problem since the amount of passwords actually used in practice is comparably small and also not evenly distributed. Thus it is both in terms of time and memory possible to generate a table with pre-computed hashes and then check the salt-less hashes against this table to reverse the hash. The protection against this are thus salts (increase of time and memory needed for pre-computation) and slow hashes (increase of time).

But, this pre-computing will no longer be feasible if the choice of passwords is not biased against "few" often chosen passwords but if instead there would be a huge amount of possible passwords and none of these would be more likely than the other. It would simply not be practically possible in terms of time and memory to pre-compute and store the hash for all possible passwords. And that's exact the case you have with PFS - it is simply impossible to pre-compute even a relevant small part of all the possible values.

Answer 2

1. We choose groups like RFC 3526 Group #14 or larger so that the precomputation is so large it is not feasible. The main problem with weakdh/logjam is that the chosen groups were originally chosen to be breakable for ‘export-grade’ cipher suites, or what I like to call ‘US imperialism-grade’ cipher suites.

   The scheme was that US companies—which are the only companies in the world who can sell cryptography products because the US is the best—were required by the NSA to use bad DH groups for any products they sold overseas, so that all cryptography outside the US would be breakable.

   When we eventually realized that it was possible for cryptography to happen in lesser lands than the United States and the whole scheme fell apart, the TLS maintainers forgot (or ‘forgot’—malice and incompetence are conveniently hard to distinguish) to remove the bad DH groups.

2. Even better, in newer systems we choose groups that don't admit such precomputations like X25519. There is a batch advantage to attacking many X25519 targets simultaneously, but no known precomputation that speeds up any particular target, and the cost to break even the first target is still $2^{128}$.

3. That said, ‘perfect forward secrecy’ is a value-loaded word that is best avoided because it confuses people. It is much better to say when keys are erased, because then, in order to be honest, you have to think about holes like TLS session resumption design mistakes where the keys were not erased despite using ‘PFS’ cipher suites. Key erasure means that without breaking the cryptosystem the plaintext can no longer be recovered. Of course, with a breakthrough in cryptanalysis, all bets are off.

There is a looming threat of quantum cryptanalysis in a couple decades that would enable retroactive decryption of all past TLS sessions with pre-quantum key agreement. That's why work is ongoing to deploy post-quantum key agreement as promptly as we can get confidence in it, with, e.g., the NIST PQCRYPTO competition.