On Sep 7, 2013, at 3:25 PM, "Christian Huitema" <huit...@huitema.net> wrote:

> Another argument is “minimal dependency.” If you use public key, you depend 
> on both the public key algorithm, to establish the key, and the symmetric key 
> algorithm, to protect the session. If you just use symmetric key, you depend 
> on only one algorithm.
> Of course, that means getting pair-wise shared secrets, and protecting them. 
> Whether that’s harder or more fragile than maintaining a key ring is a matter 
> of debate. It is probably more robust than relying on CA.

Pairwise shared secrets are just about the only thing that scales worse than 
public key distribution by way of PGP key fingerprints on business cards.  The 
equivalent of CAs in an all-symmetric world is KDCs.  Instead of having the 
power to enable an active attack on you today, KDCs have the power to enable a 
passive attack on you forever.  If we want secure crypto that can be used by 
everyone, with minimal trust, public key is the only way to do it.  

One pretty sensible thing to do is to remember keys established in previous 
sessions, and use those combined with the next session.  For example, if we do 
Diffie-Hellman today and establish a shared key K, we should both store that 
key, and we should try to reuse it next time as an additional input into our 
KDF.  That is, next time we use Diffie-Hellman to establish K1, then we get 
actual-key = KDF(K1, K, other protocol details).  That means that if even one 
session was established securely, the communications are secure (up to the 
symmetric crypto strength) forevermore.  

> - -- Christian Huitema

The cryptography mailing list

Reply via email to