[Cryptography] Why prefer symmetric crypto over public key crypto?

Jeffrey I. Schiller jis at mit.edu
Sat Sep 7 10:05:22 EDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Sep 07, 2013 at 10:57:07AM +0300, ianG wrote:
> It's a big picture thing.  At the end of the day, symmetric crypto
> is something that good software engineers can master, and relatively
> well, in a black box sense.  Public key crypto not so easily, that
> requires real learning.  I for one am terrified of it.

Don’t be. There is no magic there. From what I can tell, there are two
different issues with public key.

1. Weaknesses in the math.
2. Fragility in use.

The NSA (or other national actors) may well have found a mathematical
weakness in any of the public key ciphers (frankly they may have found
a weakness in symmetric ciphers as well). Frankly, we just don’t know
here. Do we trust RSA more then Diffie-Hellman or any of the Elliptic
Curve techniques? Who knows. We can make our keys bigger and hope for
the best.

As for fragility. Generating random numbers is *hard*, particularly on
a day to day basis. When you generate a keypair with GPG/PGP it
prompts you to type in random keystrokes and move the mouse etc., all
in an attempt to gather as much entropy as possible. This is a pain,
but it makes sense for one-lived keys. People would not put up with
this if you had to do this for each session key. Fragile public key
systems (such as Elgamal and all of the variants of DSA) require
randomness at signature time. The consequence for failure is
catastrophic. Most systems need session keys, but the consequence for
failure in session key generation is the compromise of the
message. The consequence for failure in signature generation in a
fragile public key system is compromise of the long term key!

I wrote about this in NDSS 1991.... I cannot find an on-line reference
to it though.

Then if you are a software developer, you have the harder problem of
not being able to control the environment your software will run on,
particularly as it applies to the availability of entropy.

So my advice.

Use RSA, choose a key as long as your paranoia. Like all systems, you
will need entropy to generate keys, but you won’t need entropy to use
it for encryption or for signatures.

- -Jeff

_______________________________________________________________________
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room E17-110A, 32-392
Cambridge, MA 02139-4307
617.910.0259 - Voice
jis at mit.edu
http://jis.qyv.name
_______________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFSKzKi8CBzV/QUlSsRAhoSAJ98g7NreJwIK+aYODM1zDsVsreMCQCcD2R9
vnvmNc4Uo45+ckUFQafuE4U=
=x9bK
-----END PGP SIGNATURE-----

More information about the cryptography mailing list