[Cryptography] Why prefer symmetric crypto over public key crypto?
Nico Williams
nico at cryptonector.com
Thu Sep 12 16:11:31 EDT 2013
On Mon, Sep 09, 2013 at 02:48:56PM -0400, Jeffrey I. Schiller wrote:
> I don’t believe you can do this without using some form of public key
> system.
My $.02:
- protocols based entirely on symmetric keying are either PSK or a
flavor of Needham-Schroeder (e.g., Kerberos)
- neither PSK nor Needham-Schroeder scale
- PSK fails to scale for obvious reasons
- Kerberos could scale if there were TLD realm operators, but there
aren't any, and there can't be because they would have too much
power, thus no one would trust them (see below)
- Kerberos could scale with a web of trust (PGP-like), but managing
that web would be difficult, and realms that are widely trusted
are... much too powerful (see below)
- Kerberos KDCs have even more privileged a position than PKIX CAs:
they can impersonate you to others and vice-versa (therefore they can
MITM you) and they can recover all your session keys (unless you use
PFS) even when they don't MITM you.
This is necessarily so for any symmetric key only protocol.
- To get past this requires PK crypto. It's unavoidable.
- Life will look a bit bleak for a while once we get to quantum machine
cryptopocalypse...
Nico
--
More information about the cryptography
mailing list