Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-15 Thread Tony Arcieri
On Thu, Sep 12, 2013 at 1:11 PM, Nico Williams wrote:

>  - Life will look a bit bleak for a while once we get to quantum machine
> cryptopocalypse...


Why? We already have NTRU. We also have Lamport Signatures. djb is working
on McBits. I'd say there's already many options on the table if you want to
build a "quantum-proof" system.

-- 
Tony Arcieri
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-13 Thread Nico Williams
On Mon, Sep 09, 2013 at 02:48:56PM -0400, Jeffrey I. Schiller wrote:
> I don’t believe you can do this without using some form of public key
> system.

My $.02:

 - protocols based entirely on symmetric keying are either PSK or a
   flavor of Needham-Schroeder (e.g., Kerberos)

 - neither PSK nor Needham-Schroeder scale

- PSK fails to scale for obvious reasons

- Kerberos could scale if there were TLD realm operators, but there
  aren't any, and there can't be because they would have too much
  power, thus no one would trust them (see below)

- Kerberos could scale with a web of trust (PGP-like), but managing
  that web would be difficult, and realms that are widely trusted
  are... much too powerful (see below)

 - Kerberos KDCs have even more privileged a position than PKIX CAs:
   they can impersonate you to others and vice-versa (therefore they can
   MITM you) and they can recover all your session keys (unless you use
   PFS) even when they don't MITM you.

   This is necessarily so for any symmetric key only protocol.

 - To get past this requires PK crypto.  It's unavoidable.

 - Life will look a bit bleak for a while once we get to quantum machine
   cryptopocalypse...

Nico
-- 
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-12 Thread Peter Gutmann
zooko  writes:

>I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin 
>were stolen by exploiting this, for example:
>
>http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/

Was that the change that was required by FIPS 140, or a different vuln?

Peter.


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-11 Thread Jerry Leichter
On Sep 11, 2013, at 1:53 AM, zooko  wrote:
> DJB's Ed25519 takes [using message context as part of random number 
> generation one step further, and makes the nonce determined *solely* by the 
> message and the secret key, avoiding the PRNG part altogether:
This is not *necessarily* safe.  In another thread, we discussed whether 
choosing the IV for CBC mode by encrypting 0 with the session key was 
sufficient to meet the randomness requirements.  It turns out it does not.  I 
won't repeat the link to Rogoway's paper on the subject, where he shows that 
using this technique is strictly weaker than using a true random IV.

That doesn't mean the way it's done in Ed25519 is unsafe, just that you cannot 
generically assume that computing a random value from existing private 
information is safe.
-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-11 Thread zooko
I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin were
stolen by exploiting this, for example:

http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/

However, it is quite straightforward to make yourself safe from re-used nonces
in (EC)DSA, like this:

https://github.com/trezor/python-ecdsa/commit/8efb52fad5025ae87b649ff78faa9f8076768065

Whenever the public-key crypto spec says that you have to come up with a random
number, don't do it! Instead of just pulling a random number from your PRNG,
mix the message into your PRNG to generate a random number which will therefore
be unique to this message.

Note that you don't have to get anyone else's cooperation in order to do this
-- interoperating implementations can't tell how you chose your "random"
number, so they can't complain if you do it this way.

Wei Dai's Crypto++ library has done this for ages, for *all* nonces generated
in the course of public-key operations.

DJB's Ed25519 takes this one step further, and makes the nonce determined
*solely* by the message and the secret key, avoiding the PRNG part altogether:

http://ed25519.cr.yp.to/papers.html

In my opinion, that's the way to go. It applies equally well to (EC)DSA, and
still enjoys the above-mentioned interoperability.

There is now a standard for this fully-deterministic approach in the works,
edited by Thomas Pornin: https://tools.ietf.org/html/rfc6979 .

Therefore, Ed25519 or RFC-6979-enhanced (EC)DSA is actually safer than RSA-PSS
is with regard to this issue.

Regards,

Zooko
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-09 Thread Jeffrey I. Schiller
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Just to throw in my two cents...

In the early 1990’s I wanted to roll out an encrypted e-mail solution
for the MIT Community (I was the Network Manager and responsible for
the mail system). We already had our Kerberos Authentication system
(of which I am one of the authors, so I have a special fondness for
it). It would do a fine job of helping people exchange session keys
for mail and everyone at MIT has a Kerberos ID (and therefore would
permit communication between everyone in the community).

However, as Network Manager, I was also the person who would see legal
requests for access to email and other related data. Whomever ran the
Kerberos KDC would be in a position to retrieve any necessary keys to
decrypt any encrypted message. Which meant that whomever ran the KDC
could be compelled to turn over the necessary keys. In fact my fear
was that a clueless law enforcement organization would just take the
whole KDC with a search warrant, thus compromising everyone’s
security. Today they may well also use a search warrant to take the
whole KDC, but not because they are clueless...

The desire to offer privacy protection that I, as the administrator,
could not defeat is what motivated me to look into public key systems
and eventually participate in the Internet’s Privacy Enhanced Mail
(PEM) efforts. By using public key algorithms, correspondents are
protected from the prying eyes of even the folks who run the system.

I don’t believe you can do this without using some form of public key
system.

-Jeff
–
___
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room E17-110A, 32-392
Cambridge, MA 02139-4307
617.910.0259 - Voice
j...@mit.edu
http://jis.qyv.name
___



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFSLhgY8CBzV/QUlSsRAoQ8AKDBC/y/qph+HpE11a+5d7p6a6DqyQCgiN/f
3Dcsr8wLR1H+J9gzz31n4ys=
=84A0
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-09 Thread Christian Huitema
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

>> I am certainly not going to advocate Internet-scale KDC. But what
>> if the application does not need to scale more than a "network of 
>> friends?"
>
> A thousand times yes.

There is however a little fly in that particular ointment. Sure, we can develop 
system that manage pairwise keys, store them safely, share them between several 
user devices. But what about PFS? Someday, the pairwise key will be 
compromised, and the NSA will go back to the archives to decrypt everything. We 
could certainly devise a variant of DH that use the pairwise key to verify the 
integrity of the session keys, but that brings the public key technology back 
in the picture. Maybe I am just ignorant, but I don't know how to get PFS using 
just symmetric key algorithms. Does someone know better?

- -- Christian Huitema

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (MingW32)
Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/
Charset: utf-8

iQEcBAEBAgAGBQJSLU6uAAoJELba05IUOHVQ32QH/jVt7j/FpZXc7G07fvfu8/ij
4h53Vn0dfNZmX+XLNX3yILizSz712bGEGWVnq7nPh1IB9JEbYu0lFJxzXbZB6Cv1
Owu+QKnJ1NgctggwKkaCwOELFPNEZ1amzu3f+Haxrq9knv/H2/mykpLPyRR0IU8T
8KFoud1rg7nffIW+flkEGVGgcExibjXOd8H7+/q6Mu6u4/aVJ4O3m2c1sv0kLhl3
gPIeoD8LlRBERUslkqF/jEv6PVgByLD8D94/f7wJ34e9RZQNILPH2dGdck02G/vK
IimsR7K/9cB0KhNnIIqCnmxYSvm7KU97h6ejm5lyyZPTtnoDPjfEU+0w7vl5uMs=
=ze/o
-END PGP SIGNATURE-

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Peter Saint-Andre
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/7/13 9:06 PM, Christian Huitema wrote:
>> Pairwise shared secrets are just about the only thing that
>> scales worse than public key distribution by way of PGP key
>> fingerprints on business cards.  > The equivalent of CAs in an
>> all-symmetric world is KDCs.  Instead of having the power to
>> enable an active attack on you today, KDCs have the power to
>> enable a passive attack on you forever.  If we want secure crypto
>> that can be used by everyone, with minimal trust, public key is
>> the only way to do it.
>> 
> 
> I am certainly not going to advocate Internet-scale KDC. But what
> if the application does not need to scale more than a "network of 
> friends?"

A thousand times yes.

One doesn't need to communicate with several billion people, and we
don't need systems that scale up that high. Most folks just want to
interact (chat, share photos, voice/video conference, etc.) with their
friends and family and colleagues -- maybe 50 - 500 people. IMHO we
only need to scale up that high for secure communication. (I'm talking
about individual communication, not enterprise stuff.)

What about talking with someone new? Well, we can design separate
protocols that enable you to be introduced to someone you haven't
communicated with before (we already do that with things like FOAF,
LinkedIn, Facebook). Part of that introduction might involve learning
the new person's public key from someone you already trust (no need
for Internet-scale certificate authorities). You could use that public
key for bootstrapping the pairwise shared secrets.

Another attractive aspect of a network of friends is that it can be
used for mix networking (route messages through your friends) and for
things like less-than-completely-public media relays and data proxies
for voice, video, file transfer, etc. And such relays might just live
on those little home devices that Perry is talking about, separate
from the cloud.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSLQDNAAoJEOoGpJErxa2phHAQAJ76DfrFmz6Sv+HkczOgxJA1
v0kqmLphDhzgT/9eUiF1cCkowF0HE1l84DTuMefrwT2DmOLZJVQANy0Tg/CzWLRu
3JBDkPRQ/cdlfDyy1ZHNb4bsGWyxHIXViQg2sNQZ9KB8yRF4pouYewXOpoJDIabN
G40mVlWzuO5cTUWLColwDCaoR20Q+04Ln19BAiJi58d2UT4c55ZyF45hbbQSYL7T
bl1JQkvZdtp2Syn4DaGS+WmCUIGsv5KpdXmZv0ljKXoRqsOW7GjaiaQz84MMMQg9
EHZIDnAetTXdfbEki8AsO5PlGRmi944tHL7DtvXJKd76CY5dIZ6kywMU2g+/LrIn
1uWwTSogu4n4yiQrLyYfOnsttkzJWC9BE9YJXXeH0IN6VRvkC710zphCZLVw6LZJ
TsNvtskigIQ9jnPO1le1zkHIagXHhns6fVTURFuWd9ZHCOOdbNT7h6Lj+I8OGCkp
KFAbRfXzAQDZgVrl42IZ8Sn4DioCLGbscP3maU/C8J3s1+ega3lxfX3DNbJpX+id
FtnaXHfushv9xIkoNT/sBJrg79BblU5ZOH/GUBMwV+rFlWA0ofvIrhkaSnRUPFTI
gq2C913YWQfyybolHKRNsZ/JpYjarZAJ5eJdW9ALo3xrCxlTr/EcIek7hCVKBK1o
d7FvIpkYoexTO08AKfcZ
=GRXj
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Jerry Leichter
On Sep 8, 2013, at 1:08 PM, Jerry Leichter wrote:

> On Sep 8, 2013, at 1:06 PM, Jerry Leichter wrote:
>> There was a proposal out there based on something very much like this to 
>> create tamper-evident signatures
Jonathan Katz found the paper I was thinking of - 
http://eprint.iacr.org/2003/031
-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Jerry Leichter
On Sep 8, 2013, at 1:06 PM, Jerry Leichter wrote:
> There was a proposal out there based on something very much like this to 
> create tamper-evident signatures.  I forget the details - it was a couple of 
> years ago - but the idea was that every time you sign something, you modify 
> your key in some random way, resulting in signatures that are still 
> verifiably yours, but also contain the new random modification.  Beyond that, 
> I don't recall how it worked - it was quite clever... ah, here it is:  
> http://eprint.iacr.org/2005/147.pdf
Spoke too quickly - that paper is something else entirely.  I still can't 
locate the one I was thinking of.
-- Jerry


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Jerry Leichter
On Sep 8, 2013, at 10:45 AM, Ray Dillinger wrote:
>> Pairwise shared secrets are just about the only thing that scales
>> worse than public key distribution by way of PGP key fingerprints on
>> business cards.  
>> If we want secure crypto that can be used by everyone, with minimal
>> trust, public key is the only way to do it.
>> 
>> One pretty sensible thing to do is to remember keys established in
>> previous sessions, and use those combined with the next session.
> 
> You've answered your own conundrum!
> 
> Of course the idea of remembering keys established in previous
> sessions and using them combined with keys negotiated in the next
> session is a scalable way of establishing and updating pairwise
> shared secrets
It's even better than you make out.  If Eve does manage to get hold of the 
Alice's current keys, and uses them to communicate with Bob, *after the 
communication, Bob will have updated his keys - but Alice will not have*.  The 
next time they communicate, they'll know they've been compromised.  That is, 
this is tamper-evident cryptography.

There was a proposal out there based on something very much like this to create 
tamper-evident signatures.  I forget the details - it was a couple of years ago 
- but the idea was that every time you sign something, you modify your key in 
some random way, resulting in signatures that are still verifiably yours, but 
also contain the new random modification.  Beyond that, I don't recall how it 
worked - it was quite clever... ah, here it is:  
http://eprint.iacr.org/2005/147.pdf
-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Jerry Leichter
On Sep 7, 2013, at 11:06 PM, Christian Huitema wrote:

>> Pairwise shared secrets are just about the only thing that scales worse than 
>> public key distribution by way of PGP key fingerprints on business cards.  > 
>> The equivalent of CAs in an all-symmetric world is KDCs  If we want 
>> secure crypto that can be used by everyone, with minimal trust, public key 
>> is the only way to do it.  
> 
> I am certainly not going to advocate Internet-scale KDC. But what if the 
> application does not need to scale more than a "network of friends?"
Indeed, that was exactly what I had in mind when I suggested we might want to 
do without private key cryptography on another stream.

Not every problem needs to be solved on Internet scale.  In designing and 
building cryptographic systems simplicity of design, limitation to purpose, and 
humility are usually more important the universality.  Most of the email 
conversations I have are with people I've corresponded with in the past, or 
somehow related to people I've corresponded with in the past.  In the first 
case, I already have their keys - the only really meaningful notion of "the 
right key" is key continuity (combined with implied verification if we also 
have other channels of communication - if someone manages to slip me a bogus 
key for someone who I talk to every day, I'm going to figure that out very 
quickly.)  In the second case - e.g., an email address from a From field in a 
message on this list - the best I can possibly hope for initially is that I can 
be certain I'm corresponding with whoever sent that message to the list.  
There's no way I can bind that to a particular person in the real world wit
 hout something more.

Universal schemes, when (not if - there's no a single widely fielded system 
that hasn't been found to have serious bugs over its operation lifetime, and I 
don't expect to see one in *my* lifetime) they fail, lead to universal attacks. 
 I need some kind of universal scheme for setting up secure connections to buy 
something from a vendor I never used before, but frankly the NSA doesn't need 
to break into anything to get that information - the vendor, my bank, my CC 
company, credit agencies are call collecting and selling it anyway.

The other thing to keep in mind - and I've come back to this point repeatedly - 
is that the world we are now designing for is very different from the world of 
the mid- to late-1990's when the current schemes were designed.  Disk is so 
large and so cheap that any constraint in the old designs that was based on a 
statement like "doing this would require the user to keep n^2 keys pairs, which 
is too much" just doesn't make any sense any more - certainly not for 
individuals, not even for small organizations:  If n is determined by the 
number of correspondents you have, then squaring it still gives you a small 
number relative to current disk sizes.  Beyond that, everyone today (or in the 
near future) can be assumed to carry with them computing power that rivals or 
exceeds the fastest machines available back in the day - and to have an 
always-on network connection whose speed rivals that of *backbone* links back 
then.

Yes, there are real issues about how much you can trust that computer you carry 
around with you - but after the recent revelations, is the situation all that 
different for the servers you talk to, the routers in the network between you, 
the crypto accelerators many of the services use - hell, every piece of 
hardware and software.  For most people, that will always be the situation:  
They will not be in a position to check their hardware, much less build their 
own stuff from the ground up.  In this situation, about all you can do is try 
to present attackers with as many *different* targets as possible, so that they 
need to split their efforts.  It's guerrilla warfare instead of a massed army.

-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Jaap-Henk Hoepman

> 
> Symetric cryptography does a much easier thing. It combines data and some 
> mysterious data (key) in a way that you cannot extract data without the 
> mysterious data from the result. It's like a + b = c. Given c you need b to 
> find a. The tricks that are involved are mostly about sufficiently mixing 
> data, to make sure there's enough possible b's to never guess it correctly 
> and that all those b's have the same chance of being the one b. Preferably 
> even when you have both A and C, but that's really hard. 
> 
> So I'd say Bruce said that in an effort to move to more well understood 
> cryptography. It is also a way to move people towards simply better 
> algorithms, as most public key systems are very, very bad.

Funny. I would have said exactly the opposite: public key crypto is much better 
understood because it is based on mathematical theorems and reductions to 
(admittedly presumed) hard problems, whereas symmetric crypto is really a black 
art that mixes some simple bit wise operations and hopes for the best (yes, I 
know this is a bit of caricature...)

Jaap-Henk
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Ray Dillinger

On 09/07/2013 07:51 PM, John Kelsey wrote:


Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.  
If we want secure crypto that can be used by everyone, with minimal
trust, public key is the only way to do it.

One pretty sensible thing to do is to remember keys established in
previous sessions, and use those combined with the next session.


You've answered your own conundrum!

Of course the idea of remembering keys established in previous
sessions and using them combined with keys negotiated in the next
session is a scalable way of establishing and updating pairwise
shared secrets.

In fact I'd say it's a very good idea.  One can use a distributed
public key (infrastructure fraught with peril and mismanagement)
for introductions, and thereafter communicate using a pairwise
shared secret key (locally managed) which is updated every time
you interact, providing increasing security against anyone who
hasn't monitored and retained *ALL* previous communications. In
order to get at your stash of shared secret keys Eve and Mallory
have to mount an attack on your particular individual machine,
which sort of defeats the "trawl everything by sabotaging vital
infrastructure at crucial points" model that they're trying to
accomplish.

One thing that weakens the threat model (so far) is that storage
is not yet so cheap that Eve can store *EVERYTHING*. If Eve has
to break all previous sessions before she can hand your current
key to Mallory, first her work factor is drastically increased,
second she has to have all those previous sessions stored, and
third, if Alice and Bob have ever managed even one secure exchange
or one exchange that's off the network she controls (say by local
bluetooth link)she fails. Fourth, even if she *can* store everything
and the trawl *has* picked up every session, she still has to guess
*which* of her squintillion stored encrypted sessions were part
of which stream of communications before she knows which ones
she has to break.

Bear

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Andrea Shepard
On Sat, Sep 07, 2013 at 08:45:34PM -0400, Perry E. Metzger wrote:
> I'm unaware of an ECC equivalent of the Shor algorithm. Could you
> enlighten me on that?

Shor's algorithm is a Fourier transform, essentially.  It can find periods of
a function you can implement as a quantum circuit with only polynomially many
invocations.  In particular, when that function is exponentiation in a group,
it can find the orders of group elements.  This allows finding discrete
logarithms in BQP for any group in which exponentiation is in P.

-- 
Andrea Shepard

PGP fingerprint (ECC): 2D7F 0064 F6B6 7321 0844  A96D E928 4A60 4B20 2EF3
PGP fingerprint (RSA): 7895 9F53 C6D1 2AFD 6344  AF6D 35F3 6FFA CBEC CA80


pgpv_iM3WRwuC.pgp
Description: PGP signature
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Lodewijk andré de la porte
Public key depends on high level math. That math has some asymetric
property that we can use to achieve the public-private key relationships.

The problem is that the discovery of smarter math can invalidate the
asymetry and make it more symetrical. This has to do with P=NP, which is
also less trivial than a first explaination makes it seem. If it becomes
even effectively symetrical (P is that) it will stop having the nice
useable property.

Symetric cryptography does a much easier thing. It combines data and some
mysterious data (key) in a way that you cannot extract data without the
mysterious data from the result. It's like a + b = c. Given c you need b to
find a. The tricks that are involved are mostly about sufficiently mixing
data, to make sure there's enough possible b's to never guess it correctly
and that all those b's have the same chance of being the one b. Preferably
even when you have both A and C, but that's really hard.

So I'd say Bruce said that in an effort to move to more well understood
cryptography. It is also a way to move people towards simply better
algorithms, as most public key systems are very, very bad.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Christian Huitema
> Pairwise shared secrets are just about the only thing that scales worse than 
> public key distribution by way of PGP key fingerprints on business cards.  > 
> The equivalent of CAs in an all-symmetric world is KDCs.  Instead of having 
> the power to enable an active attack on you today, KDCs have the power
>  to enable a passive attack on you forever.  If we want secure crypto that 
> can be used by everyone, with minimal trust, public key is the only way to do 
> it.  

I am certainly not going to advocate Internet-scale KDC. But what if the 
application does not need to scale more than a "network of friends?"

-- Christian Huitema

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread John Kelsey

On Sep 7, 2013, at 3:25 PM, "Christian Huitema"  wrote:

> Another argument is “minimal dependency.” If you use public key, you depend 
> on both the public key algorithm, to establish the key, and the symmetric key 
> algorithm, to protect the session. If you just use symmetric key, you depend 
> on only one algorithm.
> 
> Of course, that means getting pair-wise shared secrets, and protecting them. 
> Whether that’s harder or more fragile than maintaining a key ring is a matter 
> of debate. It is probably more robust than relying on CA.

Pairwise shared secrets are just about the only thing that scales worse than 
public key distribution by way of PGP key fingerprints on business cards.  The 
equivalent of CAs in an all-symmetric world is KDCs.  Instead of having the 
power to enable an active attack on you today, KDCs have the power to enable a 
passive attack on you forever.  If we want secure crypto that can be used by 
everyone, with minimal trust, public key is the only way to do it.  

One pretty sensible thing to do is to remember keys established in previous 
sessions, and use those combined with the next session.  For example, if we do 
Diffie-Hellman today and establish a shared key K, we should both store that 
key, and we should try to reuse it next time as an additional input into our 
KDF.  That is, next time we use Diffie-Hellman to establish K1, then we get 
actual-key = KDF(K1, K, other protocol details).  That means that if even one 
session was established securely, the communications are secure (up to the 
symmetric crypto strength) forevermore.  

> - -- Christian Huitema

--John___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 20:43:39 -0400 I wrote:
> To my knowledge, there is no ECC analog of Shor's algorithm.

...and it appears I was completely wrong on that.

See, for example: http://arxiv.org/abs/quantph/0301141

Senility gets the best of us.

Perry
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 13:06:14 -0700
Tony Arcieri  wrote:
> In order to beat quantum computers, we need to use public key systems
> with no (known) quantum attacks, such as lattice-based (NTRU) or
> code-based (McEliece/McBits) algorithms. ECC and RSA will no longer
> be useful.

I'm unaware of an ECC equivalent of the Shor algorithm. Could you
enlighten me on that?

Perry
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 07 Sep 2013 13:01:53 -0700
Ray Dillinger  wrote:
> I think we can no longer rule out the possibility that some attacker
> somewhere (it's easy to point a finger at the NSA but it could be
> just as likely pointed at GCHQ or the IDF or Interpol) may have
> secretly developed a functional quantum computer with a qbus wide
> enough to handle key sizes in actual use.

In the same sense that we can no longer rule out the possibility that,
given modern synthetic biology techniques, someone has already come up
with a way to create pigs with wings. I see the possibility of the
quantum computer as slightly smaller, however.

> And IIRC, pretty much every asymmetric ciphersuite (including all
> public- key crypto) is vulnerable to some transformation of Shor's
> algorithm that is in fact practical to implement on such a machine.

To my knowledge, there is no ECC analog of Shor's algorithm.

Perry
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Tony Arcieri
On Sat, Sep 7, 2013 at 1:01 PM, Ray Dillinger  wrote:

> And IIRC, pretty much every asymmetric ciphersuite (including all public-
> key crypto) is vulnerable to some transformation of Shor's algorithm that
> is in fact practical to implement on such a machine.


Lattice-based (NTRU) or code-based (McEliece/McBits) public key systems are
still considered "post-quantum" algorithms. There are no presently known
quantum algorithms that work against these sorts of systems.

See http://pqcrypto.org/

-- 
Tony Arcieri
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Derrell Piper
On Sep 6, 2013, at 11:51 PM, Marcus D. Leech  wrote:

> The other thing that I find to be a "dirty little secret" in PK systems is 
> revocation.  OCSP makes things, in some ways, "better" than CRLs, but I still
>  find them to be a kind of "swept under the rug" problem when people are 
> waxing enthusiastic about PK systems.

Well, there are other saddles, as it were.  SPKI/SDSI both offer a path forward 
without needing a trusted CA...


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Bill Stewart



On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:
Public-key cryptography is less well-understood than symmetric-key 
cryptography. It is also tetchier than symmetric-key crypto, and 
if you pay attention to us talking about issues with nonces, 
counters, IVs, chaining modes, and all that, you see that saying 
that it's tetchier than that is a warning indeed.


You have the same issues with nonces, counters, etc. with symmetric 
crypto so I don't see how that makes it preferable over public key crypto.


At 12:57 AM 9/7/2013, ianG wrote:
It's a big picture thing.  At the end of the day, symmetric crypto 
is something that good software engineers can master, and relatively 
well, in a black box sense.  Public key crypto not so easily, that 
requires real learning.  I for one am terrified of it.


Public-key crypto requires learning math, and math is hard (or at 
least ECC math is hard, and even prime-number-group math has some 
interesting tricks in it.)
Symmetric-key crypto is easy in a black-box sense, because most 
algorithms come with rules that say "You need to do this and not do 
that", yet the original PPTP did half a dozen things wrong with RC4 
even though the only rule is "never use the same state twice."
But if you want to look inside the black box, most of what's there is 
a lot of bit-twiddling, maybe in a Feistel network, and while you can 
follow the bits around and see what changes, there can still be 
surprises like the discovery of differential cryptanalysis.
Public-key crypto lets you use math to do the analysis, but [vast 
over-simplification] symmetric-key mostly lets you play around and 
decide if it's messy enough that you can't follow the bits.


But there are other traps that affect people with either kind of 
system.  Once PGP got past the Bass-o-matic stage, the biggest 
security problems were mostly things like variable-precision numbers 
that were trying so hard to save bits that you could trick the 
program into interpreting them differently and accepting bogus 
information.  Fortunately we'd never have problems like that today 
(yes, ASN.1 BER/DER, I'm looking at you), and nobody ever forgets 
to check array bounds (harder in modern languages than in C or 
Fortran, but still quite possible), or fails to validate input before 
using it (SQL injections), etc.





___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Ray Dillinger

On 09/06/2013 06:13 AM, Jaap-Henk Hoepman wrote:

In this oped in the Guardian

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

Bruce Schneier writes: "Prefer symmetric cryptography over public-key 
cryptography." The only reason I can think of is that for public key crypto you 
typically use an American (and thus subverted) CA to get the recipients public key.

What other reasons could there be for this advice?



I think we can no longer rule out the possibility that some attacker
somewhere (it's easy to point a finger at the NSA but it could be
just as likely pointed at GCHQ or the IDF or Interpol) may have
secretly developed a functional quantum computer with a qbus wide
enough to handle key sizes in actual use.

And IIRC, pretty much every asymmetric ciphersuite (including all public-
key crypto) is vulnerable to some transformation of Shor's algorithm that
is in fact practical to implement on such a machine.

Bear

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Tony Arcieri
On Fri, Sep 6, 2013 at 6:13 AM, Jaap-Henk Hoepman  wrote:

> Bruce Schneier writes: "Prefer symmetric cryptography over public-key
> cryptography." The only reason I can think of is that for public key crypto
> you typically use an American (and thus subverted) CA to get the recipients
> public key.
>

As soon as someone builds a large quantum computer (probably at least 10
years away, even for the NSA) most of the public key cryptosystems we use
today will be easily breakable with e.g. Shor's algorithm. Symmetric
algorithms will take a hit as well, with their keyspace cut in half, but
that's the equivalent of going from 256-bit keys to 255-bit keys, so
symmetric crypto will weather the post-quantum era just fine.

In order to beat quantum computers, we need to use public key systems with
no (known) quantum attacks, such as lattice-based (NTRU) or code-based
(McEliece/McBits) algorithms. ECC and RSA will no longer be useful.

--
Tony Arcieri
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Christian Huitema
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Another argument is “minimal dependency.” If you use public key, you depend on 
both the public key algorithm, to establish the key, and the symmetric key 
algorithm, to protect the session. If you just use symmetric key, you depend on 
only one algorithm.

Of course, that means getting pair-wise shared secrets, and protecting them. 
Whether that’s harder or more fragile than maintaining a key ring is a matter 
of debate. It is probably more robust than relying on CA.

- -- Christian Huitema


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (MingW32)
Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/
Charset: utf-8

iQEcBAEBAgAGBQJSK32sAAoJELba05IUOHVQYEQH/iugLUvpdwZoNbtZCXFoB4O8
yP+h6RdcKIraCZww/vrUeXYodfqn9AHWHfQmf0Gx6VlEpXMasJqi8DMR4Fyy4iAk
kq5GfuGITBZjeN3gW2Xf20wK0P5nFCgD0sK0sDwuYVZmx6K5Qc4uFt4VNooCoewe
rDk48vMRkJnz409M0YXU6Fnxrl7Tm0Tuk513HwAJjNetO1OLH7vznP+iGkZjdbxp
CzGuqZuEFwl2gm7TT0I+sciTRoRiVSBmNu+fxNOai9bo2vMUG4eVjSLX+mqRcAbe
fVmpSCf9BcA01DLUlRgHityfM9HzdEbQKjdX8QvT4YCI6X7wZ21zTKB2G8ISiwI=
=d5yn
-END PGP SIGNATURE-
Another argument is “minimal dependency.” If you use public key, you depend on both the public key algorithm, to establish the key, and the symmetric key algorithm, to protect the session. If you just use symmetric key, you depend on only one algorithm. Of course, that means getting pair-wise shared secrets, and protecting them. Whether that’s harder or more fragile than maintaining a key ring is a matter of debate. It is probably more robust than relying on CA. -- Christian Huitema  

PGPexch.htm.sig
Description: Binary data
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Naif M. Otaibi
it boils down to this: symmetric crypto is much faster than asymmetric
crypto. Asymmetric crypto should only be used to exchange symmetric keys
and signing.


On Sat, Sep 7, 2013 at 11:10 AM, Jaap-Henk Hoepman  wrote:

>
> > I have also, in debate with Jerry, opined that public-key cryptography
> is a powerful thing that can't be replaced with symmetric-key cryptography.
> That's something that I firmly believe. At its most fundamental, public-key
> crypto allows one to encrypt something to someone whom one does not have a
> prior security relationship with. That is powerful beyond words.
>
> I share that belief. Hence my desire to fully understand Bruce's remark.
>
> Strictly speaking you need some kind of security relationship: you need to
> be sure the public key belongs to the intended recipient (and is under his
> sole control). So public key crypto allows you to bootstrap from some
> authentic piece of information (public key belongs to X) to a confidential
> communication channel (with X).
>
> Jaap-Henk
> ___
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Jeffrey I. Schiller
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Sep 07, 2013 at 10:57:07AM +0300, ianG wrote:
> It's a big picture thing.  At the end of the day, symmetric crypto
> is something that good software engineers can master, and relatively
> well, in a black box sense.  Public key crypto not so easily, that
> requires real learning.  I for one am terrified of it.

Don’t be. There is no magic there. From what I can tell, there are two
different issues with public key.

1. Weaknesses in the math.
2. Fragility in use.

The NSA (or other national actors) may well have found a mathematical
weakness in any of the public key ciphers (frankly they may have found
a weakness in symmetric ciphers as well). Frankly, we just don’t know
here. Do we trust RSA more then Diffie-Hellman or any of the Elliptic
Curve techniques? Who knows. We can make our keys bigger and hope for
the best.

As for fragility. Generating random numbers is *hard*, particularly on
a day to day basis. When you generate a keypair with GPG/PGP it
prompts you to type in random keystrokes and move the mouse etc., all
in an attempt to gather as much entropy as possible. This is a pain,
but it makes sense for one-lived keys. People would not put up with
this if you had to do this for each session key. Fragile public key
systems (such as Elgamal and all of the variants of DSA) require
randomness at signature time. The consequence for failure is
catastrophic. Most systems need session keys, but the consequence for
failure in session key generation is the compromise of the
message. The consequence for failure in signature generation in a
fragile public key system is compromise of the long term key!

I wrote about this in NDSS 1991 I cannot find an on-line reference
to it though.

Then if you are a software developer, you have the harder problem of
not being able to control the environment your software will run on,
particularly as it applies to the availability of entropy.

So my advice.

Use RSA, choose a key as long as your paranoia. Like all systems, you
will need entropy to generate keys, but you won’t need entropy to use
it for encryption or for signatures.

- -Jeff

___
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room E17-110A, 32-392
Cambridge, MA 02139-4307
617.910.0259 - Voice
j...@mit.edu
http://jis.qyv.name
___

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFSKzKi8CBzV/QUlSsRAhoSAJ98g7NreJwIK+aYODM1zDsVsreMCQCcD2R9
vnvmNc4Uo45+ckUFQafuE4U=
=x9bK
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Jaap-Henk Hoepman

> I have also, in debate with Jerry, opined that public-key cryptography is a 
> powerful thing that can't be replaced with symmetric-key cryptography. That's 
> something that I firmly believe. At its most fundamental, public-key crypto 
> allows one to encrypt something to someone whom one does not have a prior 
> security relationship with. That is powerful beyond words.

I share that belief. Hence my desire to fully understand Bruce's remark.

Strictly speaking you need some kind of security relationship: you need to be 
sure the public key belongs to the intended recipient (and is under his sole 
control). So public key crypto allows you to bootstrap from some authentic 
piece of information (public key belongs to X) to a confidential communication 
channel (with X).

Jaap-Henk
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread ianG

On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:


Public-key cryptography is less well-understood than symmetric-key 
cryptography. It is also tetchier than symmetric-key crypto, and if you pay 
attention to us talking about issues with nonces, counters, IVs, chaining 
modes, and all that, you see that saying that it's tetchier than that is a 
warning indeed.


You have the same issues with nonces, counters, etc. with symmetric crypto so I 
don't see how that makes it preferable over public key crypto.




It's a big picture thing.  At the end of the day, symmetric crypto is 
something that good software engineers can master, and relatively well, 
in a black box sense.  Public key crypto not so easily, that requires 
real learning.  I for one am terrified of it.


Therefore, what Bruce is saying is that the architecture should 
recognise this disparity, and try and reduce the part played by public 
key crypto.  Wherever & whenever you can get part of the design over to 
symmetric crypto, do it.  Wherever & whenever you can use the natural 
business relationships to reduce the need for public key crypto, do that 
too!




iang

ps; http://iang.org/ssl/h2_divide_and_conquer.html#h2.4
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-06 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Sep 6, 2013, at 11:05 PM, Jaap-Henk Hoepman  wrote:

>> 
>> Public-key cryptography is less well-understood than symmetric-key 
>> cryptography. It is also tetchier than symmetric-key crypto, and if you pay 
>> attention to us talking about issues with nonces, counters, IVs, chaining 
>> modes, and all that, you see that saying that it's tetchier than that is a 
>> warning indeed.
> 
> You have the same issues with nonces, counters, etc. with symmetric crypto so 
> I don't see how that makes it preferable over public key crypto.

Point taken.

Bruce made a quip, and I offered an explanation about why that quip might make 
sense. 

I have also, in debate with Jerry, opined that public-key cryptography is a 
powerful thing that can't be replaced with symmetric-key cryptography. That's 
something that I firmly believe. At its most fundamental, public-key crypto 
allows one to encrypt something to someone whom one does not have a prior 
security relationship with. That is powerful beyond words.

If you want to be an investigative reporter and want to say, "If you need to 
talk to me privately, use K" -- you can't do it with symmetric crypto; you have 
to use public-key. If you are a software developer and want to say say, "If you 
find a bug in my system and want to tell me, use K" -- you can't do it with 
symmetric crypto.

Heck, if you want to leave someone a voicemail securely you've never talked to, 
you need public key crypto.

That doesn't make Bruce's quip wrong, it just makes it part of the whole story.

Jon



-BEGIN PGP SIGNATURE-
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFSKsy0sTedWZOD3gYRAm9wAJ9k8cASoXlfYOK/d0jrMtXQ8N/XegCg3ikv
miKwWy0D+O8JGF+6hh1Y3oU=
=msNM
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-06 Thread Jaap-Henk Hoepman
> 
> Public-key cryptography is less well-understood than symmetric-key 
> cryptography. It is also tetchier than symmetric-key crypto, and if you pay 
> attention to us talking about issues with nonces, counters, IVs, chaining 
> modes, and all that, you see that saying that it's tetchier than that is a 
> warning indeed.

You have the same issues with nonces, counters, etc. with symmetric crypto so I 
don't see how that makes it preferable over public key crypto.

Jaap-Henk
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-06 Thread Marcus D. Leech




The magic of public key crypto is that it gets rid of the key 
management problem -- if I'm going to communicate with you with 
symmetric crypto, how do I get the keys to you? The pain of it is that 
it replaces it with a new set of problems. Those problems include that 
the amazing power of public-key crypto tempts one to do things that 
may not be wise.


I find public-key cryptography to be full of "dirty little secrets".  
Some of the notions inherent in public-key *infrastructure* are, on the 
face of them,
  preposterous.  Consider the notion of a certificate authority.  I am 
to trust some third party (the CA) that I've never met, and have not the 
slightest
  reason to trust, is able to make a "believable" assertion about the 
identity (and corresponding public-key binding), of some *other* party 
I've never
  met, and have no real reason to trust.  It always struck me as 
another instance of "there's no problem in CS that can't be solved by 
adding another
  layer of abstraction".   I think this is an instance of a general 
problem with digitally-signed documents of all kinds: confusion about 
exactly what they
  are--a signature on a document (like a certificate) says nothing 
about the *essential truth* of the statements contained within the document.
  When SlushySign issues a certificate for "www.crowbars-r-us.com", 
there's a subtle distinction between "we believe this to be the 
appropriate binding
  between this public-key, and an entitity known as 
www.crowbars-r-us.com"  and "this really is the binding between this 
pubic-key, and the entity you

  all know as www.crowbars-r-us.com".

I started thinking about the "essential truth" problem back when the 
whole TPM thing was popular, and proponents were talking as if the digital
  signature of a computer stating that it was "sane" was somehow the 
same is said computer actually being "sane".   Absent independent 
verification,
  there's no way to distinguish a strongly-signed "lie" from a 
strongly-signed "truth".   That isn't necessarily a problem that's 
confined to PK systems.

  Any digital-signature scheme has that problem.


The other thing that I find to be a "dirty little secret" in PK systems 
is revocation.  OCSP makes things, in some ways, "better" than CRLs, but 
I still
  find them to be a kind of "swept under the rug" problem when people 
are waxing enthusiastic about PK systems.


However, PK is the only pony we've managed to bring to this circus, so, 
we we "make do" with making the "dirty little secrets" as inoffensive as 
we can.


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-06 Thread Jon Callas

On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman  wrote:

> In this oped in the Guardian
> 
> http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
> 
> Bruce Schneier writes: "Prefer symmetric cryptography over public-key 
> cryptography." The only reason I can think of is that for public key crypto 
> you typically use an American (and thus subverted) CA to get the recipients 
> public key. 
> 
> What other reasons could there be for this advice?

Public-key cryptography is less well-understood than symmetric-key 
cryptography. It is also tetchier than symmetric-key crypto, and if you pay 
attention to us talking about issues with nonces, counters, IVs, chaining 
modes, and all that, you see that saying that it's tetchier than that is a 
warning indeed.

The magic of public key crypto is that it gets rid of the key management 
problem -- if I'm going to communicate with you with symmetric crypto, how do I 
get the keys to you? The pain of it is that it replaces it with a new set of 
problems. Those problems include that the amazing power of public-key crypto 
tempts one to do things that may not be wise.

Jon




PGP.sig
Description: PGP signature
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography