[Cryptography] We need a new encryption algorithm competition.

Nico Williams nico at cryptonector.com
Thu Mar 20 11:49:07 EDT 2014

On Thu, Mar 20, 2014 at 10:27:17PM +1300, Peter Gutmann wrote:
> Nico Williams <nico at cryptonector.com> writes:
> >That's great, but PSK doesn't scale
> Given that { username+password * no_internet_users * no_sites_used } is
> somewhere in the hundreds of billions, at what point does it stop scaling?

Quite true.  However, those accounts are generally established using
TLS, not using PSK (the first time anyways, and probably never), so
there's some PK in there.  Which was my point: it's hard to get by in a
pure symmetric crypto world.

> It's PKI that doesn't scale.  Like ethernet, passwords work in practice but
> not in theory, and vice versa for PKI.

I'm not promoting PKI.  See above.

> >Also, PKI leaves evidence of MITM CAs, whereas Needham-Schroeder doesn't
> >really.
> It's PKI that enables MITM CAs in the first place.  Since they can't occur for
> PSK, you don't need to worry about trying to detect them.  The evidence of
> MITM CAs is a sign of a fundamentally broken design, not a "feature" of PKI.

Any time you have a TTP introducer -no matter what the protocol- you
have MITM potential.  Anytime you use key agreement with keys you can't
authenticate somehow, you have MITM potential.


More information about the cryptography mailing list