[Cryptography] Why prefer symmetric crypto over public key crypto?

Nico Williams nico at cryptonector.com
Thu Sep 12 16:11:31 EDT 2013


On Mon, Sep 09, 2013 at 02:48:56PM -0400, Jeffrey I. Schiller wrote:
> I don’t believe you can do this without using some form of public key
> system.

My $.02:

 - protocols based entirely on symmetric keying are either PSK or a
   flavor of Needham-Schroeder (e.g., Kerberos)

 - neither PSK nor Needham-Schroeder scale

    - PSK fails to scale for obvious reasons

    - Kerberos could scale if there were TLD realm operators, but there
      aren't any, and there can't be because they would have too much
      power, thus no one would trust them (see below)

    - Kerberos could scale with a web of trust (PGP-like), but managing
      that web would be difficult, and realms that are widely trusted
      are... much too powerful (see below)

 - Kerberos KDCs have even more privileged a position than PKIX CAs:
   they can impersonate you to others and vice-versa (therefore they can
   MITM you) and they can recover all your session keys (unless you use
   PFS) even when they don't MITM you.

   This is necessarily so for any symmetric key only protocol.

 - To get past this requires PK crypto.  It's unavoidable.

 - Life will look a bit bleak for a while once we get to quantum machine
   cryptopocalypse...

Nico
-- 


More information about the cryptography mailing list