[Cryptography] Why prefer symmetric crypto over public key crypto?

Jon Callas jon at callas.org
Fri Sep 6 22:02:47 EDT 2013

On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman <jhh at cs.ru.nl> wrote:

> In this oped in the Guardian
> http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
> Bruce Schneier writes: "Prefer symmetric cryptography over public-key cryptography." The only reason I can think of is that for public key crypto you typically use an American (and thus subverted) CA to get the recipients public key. 
> What other reasons could there be for this advice?

Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about issues with nonces, counters, IVs, chaining modes, and all that, you see that saying that it's tetchier than that is a warning indeed.

The magic of public key crypto is that it gets rid of the key management problem -- if I'm going to communicate with you with symmetric crypto, how do I get the keys to you? The pain of it is that it replaces it with a new set of problems. Those problems include that the amazing power of public-key crypto tempts one to do things that may not be wise.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130906/481ceb2d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130906/481ceb2d/attachment.pgp>

More information about the cryptography mailing list