On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman <j...@cs.ru.nl> wrote:
> In this oped in the Guardian > > http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance > > Bruce Schneier writes: "Prefer symmetric cryptography over public-key > cryptography." The only reason I can think of is that for public key crypto > you typically use an American (and thus subverted) CA to get the recipients > public key. > > What other reasons could there be for this advice? Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about issues with nonces, counters, IVs, chaining modes, and all that, you see that saying that it's tetchier than that is a warning indeed. The magic of public key crypto is that it gets rid of the key management problem -- if I'm going to communicate with you with symmetric crypto, how do I get the keys to you? The pain of it is that it replaces it with a new set of problems. Those problems include that the amazing power of public-key crypto tempts one to do things that may not be wise. Jon
PGP.sig
Description: PGP signature
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
