Insecurity of public key crypto #2 (reply to May)
[The BBS I use seems to have brain damage. Apologies if this has already been posted.]
From: tcmay@netcom.netcom.com (Timothy C. May) Subject: Re: Mac encryption Date: Wed, 23 Feb 1994 09:56:40 -0800 (PST)
Ron Davis writes:
(quoting me [T.C.M.])
MacPGP, available by anonymous ftp from the soda.berkeley.edu site, is the only one I know of using public key methods, and hence the only one of real interest to Cypherpunks.
The problem with symmetrical ciphers is one of *scaling*.
Since a key must be exchanged with each other person, the total number of keys growns rapidly as the community of participants increases. At any stage, the key may be lost, stolen, observed, shared with the Feds, etc. A community of 700 participants, as here on Cypherpunks, would mean each person would have to generate, exchange (securely!), and store 700 specific keys for use just with others.
Anybody with 700 co-conspirators is asking for trouble, since at least one of them is sure to be a federal agent. Encryption is for concealing "sensitive" information. If it's not sensitive, why bother? If it is sensitive then you'd better be damn sure you can trust the person you're sending it to.
This is the famed "key distribution problem."
With public key methods, this problem is largely solved. Each person can generate his or her own key, publish the public key part of it, and be done with it.
It's not that simple. Terry Ritter has pointed out on sci.crypt that the problem with PGP is the validation of public keys used. In other words, the security hole in the use of PGP is not in the encryption methods used, or in the use of PGP itself, but in the possibility of being duped by someone (or some nefarious federal agency) spreading bogus public keys. It's not enough to have a public key which you believe is the public key of a person you wish to communicate securely with - you also have to be sure that the private key which corresponds to this public key is known only to that person, in other words, that the public key really did come from the person you believe it came from. If you get the (presumed) public key of some person X from some directory of public keys, or from some third party, how can you be sure it didn't originate with someone who wants to monitor all the encrypted messages being sent to X? Terry Ritter has explained how a third party can place themselves in the middle of encrypted communications between two people using PGP and monitor everything they say to each other - and this without having to crack RSA or IDEA. This method of eavesdropping applies only to public key encryption systems, not to secret key systems, so I suggest that the latter are still of interest (even to cypherpunks), not only for encrypting data that stays on your hard disk but also for encrypted communications. rom owner-cypherpunks Tue Mar 1 12:11:49 1994 Return-Path: <owner-cypherpunks> Received: by toad.com id AA28180; Tue, 1 Mar 94 12:11:49 PST Received: from wet.UUCP by toad.com id AA28156; Tue, 1 Mar 94 12:11:44 PST Received: by wet.uucp (/\=-/\ Smail3.1.18.1 #18.2) id <m0pbaUt-000CAaC@wet.uucp>; Tue, 1 Mar 94 11:52 PST Message-Id: <m0pbaUt-000CAaC@wet.uucp> Date: Tue, 1 Mar 94 11:52 PST From: wet!naga (Peter Davidson) To: cypherpunks@toad.com Subject: Insecurity of public key crypto #1 (reply to Mandl) Sender: owner-cypherpunks@toad.com Precedence: bulk [My BBS is having fits lately. Apologies if this has already been posted.]
Date: Wed, 23 Feb 94 12:13:57 EST From: dmandl@lehman.com (David Mandl) Subject: Re: Mac encryption
The invention (discovery?) of public-key crypto changed the world, and makes practical everyday use of crypto infinitely easier.
Infinitely? You mean there is absolutely *no* difficulty involved in using PGP? I quit using it up quite a while back. Couldn't be bothered with the hassle.
It also makes the kinds of specific things cypherpunks are interested in much more practical (or POSSIBLE).
Digital signatures, yes. I haven't had a need for 'em so far (I'm not setting up a digital bank).
If you correspond with hundreds of people on a regular basis, including people you don't know and people you may send something to once and never deal with again, it is impractical to say the least to have to generate and exchange keys.
Only "sensitive" information is worth encrypting and if you want to stay out of trouble you don't go giving sensitive information to someone you don't know. A certain mutual knowledge and trust between two people has to be establish before any exchange of sensitive information.
Why was public key crypto invented at all? Why are people interested in using it? Practically, it's really fundamentally different from symmetric crypto, which is of very limited use in the situation we're all in now (anonymous communication, the net, quick hit-and-run dissemination of information, digital signatures, etc., etc.).
Crypto is for concealing information from those you don't want to see it. Public key crypto is thus not fundamentally different from symmetric key crypto. The difference is in communication of the encryption key, which is not a fundamental difference. Both kinds of crypto have problems when it comes to key distribution. In the case of secret key the problem is in keeping the key secret. In the case of public key the problem is in validating the public key.
PGP also has the "web of trust" structure built in.
"Trust"? Sure. Just trust the person you got X's public key from (who got it from someone who got it from who knows?). So is X's public key really X's public key? Sure, just trust that it's so, then send X a message and trust that it won't be intercepted by whoever put out the bogus public key for X.
Peter Davidson sez:
This is the famed "key distribution problem."
With public key methods, this problem is largely solved. Each person can generate his or her own key, publish the public key part of it, and be done with it.
It's not that simple. Terry Ritter has pointed out on sci.crypt that the problem with PGP is the validation of public keys used. In other words, the security hole in the use of PGP is not in the encryption methods used, or in the use of PGP itself, but in the possibility of being duped by someone (or some nefarious federal agency) spreading bogus public keys. It's not enough to have a public key which you believe is the public key of a person you wish to communicate securely with - you also have to be sure that the private key which corresponds to this public key is known only to that person, in other words, that the public key really did come from the person you believe it came from. If you get the (presumed) public key of some person X from some directory of public keys, or from some third party, how can you be sure it didn't originate with someone who wants to monitor all the encrypted messages being sent to X? Terry Ritter has explained how a third party can place themselves in the middle of encrypted communications between two people using PGP and monitor everything they say to each other - and this without having to crack RSA or IDEA.
Ah, yes. The man in the middle again. If a protocol existed that could guarantee detection of the man in the middle, then it would only need be used once with each conversant to exchange public keys reliably. The whole problem of public key distribution would then be solved. As many of you know, I believe such a protocol exists. :-) Without this detection capability in some form, public key has few advantages except that you only need one of them. A signfigant advantage, I admit but it doesn't seem to solve anything. Exchanging keys between point A and point B requires a chain of trust with no possibility of a man in the middle, not the sort of thing people want to mess with. Peace, Bob -- Bob Cain rcain@netcom.com 408-354-8021 "I used to be different. But now I'm the same." --------------PGP 1.0 or 2.0 public key available on request.------------------
participants (2)
-
rcain@netcom.com -
wet!naga