[Cryptography] We need a new encryption algorithm competition.

Nico Williams nico at cryptonector.com
Wed Mar 19 20:39:11 EDT 2014


On Wed, Mar 19, 2014 at 11:57:28PM +0000, ianG wrote:
> On 19/03/2014 18:06 pm, Jerry Leichter wrote:
> > The classic paper on this is:
> > 
> > Goldwasser, S., Micali, S., and Tong, P. Why and How to Establish a
> > Private Code on a Public Network. Proceedings of the 23rd Annual
> > Symposium on Foundations of Computer Science (FOCS'82), Chicago,
> > Illinois, pages 134-144, October 1982
> ...
> > In general, asymmetric encryption is very brittle.
>
> That's a much better way of saying it.

That's great, but PSK doesn't scale, and Needham-Schroeder (Kerberos)
has scale and trust issues that are not easily resolved without
sprinkling some PK/PKI.

Worse, in Needham-Schroeder (Kerberos) the TTPs (KDCs) are even more
powerful than the TTPs in PKI.  If two peers use certs with chaining up
to different root issuers, then you may need (e.g., if using TLS) MITM
CAs in both of them to MITM the two peers.  In Needham-Schroeder any KDC
in the trust path between two peers can MITM them -- even if you
sprinkle some PK dust (PKCROSS) you still end up with the last hop
realm's KDC's being able to MITM the two peers.

Also, PKI leaves evidence of MITM CAs, whereas Needham-Schroeder doesn't
really.

You have two realistic choices: you can have the level of security you
want (for online shopping, email, IM, ...) using some PK, or you can
have not much security at all outside your home or enterprise network.

Whatever security considerations of any one cryptosystem might be are
just that: security considerations [to pay careful attention to].
There's no real alternative to using at least some PK crypto.

(Experience with Kerberos will convince you of this.)

Nico
-- 


More information about the cryptography mailing list