Perfect Forward Secrecy: Not So Perfect, Not So Forward

[Ian Batten]

Communication Data scrutiny report [1], paragraph 92 implies that Google are in a position to retrospectively decrypt SSL sessions.   

ian
> 92. Many internet services are encrypted; this includes many of the major overseas based communications services such as Gmail. Encryption is the basis of internet security and companies encrypt their services to protect their customers. If these companies are asked directly for communications data and agree to supply it, whether under RIPA or following a request under a Mutual Legal Assistance Treaty (MLAT), then they will decrypt the information, extract the relevant communications data and provide it to the requesting authority in an accessible format. They told us however that if information about their service was collected by another CSP they would not cooperate in helping decrypt it. Sarah Hunter from Google explained:
> 
> “From a Google Inc perspective, we are very confident about the security of our encryption. If a valid RIPA request comes in or UK law enforcement goes through the MLAT, receives a court order and in turn gets Gmail user data, we will obviously provide that data decrypted. If it was to use a third-party provider to gather the encrypted data, I think it very unlikely that Google Inc would provide anyone outside Google Inc with that key. That is simply because, as everyone said earlier, security is our most important asset. Our relationship with our users is predicated on trust. Without that, we have no business”.65 
> 



[1] http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20121211/daa4604c/attachment.html>