[Cryptography] Why prefer symmetric crypto over public key crypto?

Marcus D. Leech mleech at ripnet.com
Fri Sep 6 23:51:49 EDT 2013 

>
> The magic of public key crypto is that it gets rid of the key 
> management problem -- if I'm going to communicate with you with 
> symmetric crypto, how do I get the keys to you? The pain of it is that 
> it replaces it with a new set of problems. Those problems include that 
> the amazing power of public-key crypto tempts one to do things that 
> may not be wise.
>
I find public-key cryptography to be full of "dirty little secrets".  
Some of the notions inherent in public-key *infrastructure* are, on the 
face of them,
   preposterous.  Consider the notion of a certificate authority.  I am 
to trust some third party (the CA) that I've never met, and have not the 
slightest
   reason to trust, is able to make a "believable" assertion about the 
identity (and corresponding public-key binding), of some *other* party 
I've never
   met, and have no real reason to trust.  It always struck me as 
another instance of "there's no problem in CS that can't be solved by 
adding another
   layer of abstraction".   I think this is an instance of a general 
problem with digitally-signed documents of all kinds: confusion about 
exactly what they
   are--a signature on a document (like a certificate) says nothing 
about the *essential truth* of the statements contained within the document.
   When SlushySign issues a certificate for "www.crowbars-r-us.com", 
there's a subtle distinction between "we believe this to be the 
appropriate binding
   between this public-key, and an entitity known as 
www.crowbars-r-us.com"  and "this really is the binding between this 
pubic-key, and the entity you
   all know as www.crowbars-r-us.com".

I started thinking about the "essential truth" problem back when the 
whole TPM thing was popular, and proponents were talking as if the digital
   signature of a computer stating that it was "sane" was somehow the 
same is said computer actually being "sane".   Absent independent 
verification,
   there's no way to distinguish a strongly-signed "lie" from a 
strongly-signed "truth".   That isn't necessarily a problem that's 
confined to PK systems.
   Any digital-signature scheme has that problem.


The other thing that I find to be a "dirty little secret" in PK systems 
is revocation.  OCSP makes things, in some ways, "better" than CRLs, but 
I still
   find them to be a kind of "swept under the rug" problem when people 
are waxing enthusiastic about PK systems.

However, PK is the only pony we've managed to bring to this circus, so, 
we we "make do" with making the "dirty little secrets" as inoffensive as 
we can.

More information about the cryptography mailing list