----- Forwarded message from "Jeffrey I. Schiller" <jis@mit.edu> ----- Date: Sat, 7 Sep 2013 10:05:22 -0400 From: "Jeffrey I. Schiller" <jis@mit.edu> To: ianG <iang@iang.org> Cc: cryptography@metzdowd.com Subject: Re: [Cryptography] Why prefer symmetric crypto over public key crypto? User-Agent: Mutt/1.5.21 (2010-09-15) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Sep 07, 2013 at 10:57:07AM +0300, ianG wrote:
It's a big picture thing. At the end of the day, symmetric crypto is something that good software engineers can master, and relatively well, in a black box sense. Public key crypto not so easily, that requires real learning. I for one am terrified of it.
Don’t be. There is no magic there. From what I can tell, there are two different issues with public key. 1. Weaknesses in the math. 2. Fragility in use. The NSA (or other national actors) may well have found a mathematical weakness in any of the public key ciphers (frankly they may have found a weakness in symmetric ciphers as well). Frankly, we just don’t know here. Do we trust RSA more then Diffie-Hellman or any of the Elliptic Curve techniques? Who knows. We can make our keys bigger and hope for the best. As for fragility. Generating random numbers is *hard*, particularly on a day to day basis. When you generate a keypair with GPG/PGP it prompts you to type in random keystrokes and move the mouse etc., all in an attempt to gather as much entropy as possible. This is a pain, but it makes sense for one-lived keys. People would not put up with this if you had to do this for each session key. Fragile public key systems (such as Elgamal and all of the variants of DSA) require randomness at signature time. The consequence for failure is catastrophic. Most systems need session keys, but the consequence for failure in session key generation is the compromise of the message. The consequence for failure in signature generation in a fragile public key system is compromise of the long term key! I wrote about this in NDSS 1991.... I cannot find an on-line reference to it though. Then if you are a software developer, you have the harder problem of not being able to control the environment your software will run on, particularly as it applies to the availability of entropy. So my advice. Use RSA, choose a key as long as your paranoia. Like all systems, you will need entropy to generate keys, but you won’t need entropy to use it for encryption or for signatures. - -Jeff _______________________________________________________________________ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room E17-110A, 32-392 Cambridge, MA 02139-4307 617.910.0259 - Voice jis@mit.edu http://jis.qyv.name _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFSKzKi8CBzV/QUlSsRAhoSAJ98g7NreJwIK+aYODM1zDsVsreMCQCcD2R9 vnvmNc4Uo45+ckUFQafuE4U= =x9bK -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5