On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman <j...@cs.ru.nl> wrote:

> In this oped in the Guardian
> http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
> Bruce Schneier writes: "Prefer symmetric cryptography over public-key 
> cryptography." The only reason I can think of is that for public key crypto 
> you typically use an American (and thus subverted) CA to get the recipients 
> public key. 
> What other reasons could there be for this advice?

Public-key cryptography is less well-understood than symmetric-key 
cryptography. It is also tetchier than symmetric-key crypto, and if you pay 
attention to us talking about issues with nonces, counters, IVs, chaining 
modes, and all that, you see that saying that it's tetchier than that is a 
warning indeed.

The magic of public key crypto is that it gets rid of the key management 
problem -- if I'm going to communicate with you with symmetric crypto, how do I 
get the keys to you? The pain of it is that it replaces it with a new set of 
problems. Those problems include that the amazing power of public-key crypto 
tempts one to do things that may not be wise.


Attachment: PGP.sig
Description: PGP signature

The cryptography mailing list

Reply via email to