We have a purely (now mostly) all-symmetric key protocol: Needham-Schroeder -- Kerberos. Guess what: it doesn't scale, not without a strong dose of PK (and other things). Worse, its trusted third parties can do more than MITM/impersonate you like PKI's: they get to see your session keys (unless you add PFS, of course). For PFS you need assymetric crypto. To scale you need asymmetric crypto *and* trusted third parties. To communicate at all you need peers to communicate with, peers who can turn on you, or just plain screw up, or get conned. Square #1, how well we know thee. Symmetric-only crypto isn't the answer, and evidently neither is PK crypto. With or without crypto, our problems are human problems.
A combination of PK and symmetric crypto is the best we can do in a classical world, and transitive trust is the only way to scale to billions (or even just a few tens of thousands) of people. All of which means that there will always be some degree of insecurity, as it always was before the modern era, and as it has to be. Because we have free will. I don't know what a post-quantum number factoring world will look like... a bit bleak I guess, at least for a while, but hardly much bleaker than much of the past one hundred years. BTW, if it's the PRISMs that animate you: that is the land of politics; and crypto is not the answer you seek, it's just a tool. A tool that might play a bi[tg] part in debates and their outcomes, but still, just a tool, not a panacea. [In theory Kerberos with hierarchical and web of trust could scale. No one has attempted to scale it past a few .EDUs and a few .MILs,. With PKINIT and PKCROSS -- bridges to PK[I] -- and "trust routing" it could scale, and it'd then have roughly the properties PKI could have / should have had with OCSP done right (i.e., stapled, and from the get-go). Kerberos still has a long life ahead of it in corporate and university networks, I'm fairly certain of that. But without PK it can't scale to Internet scale. I don't think any other all-symmetric key cryptographic protocols can do better than Needham-Schroeder.] Nico --
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography