----- Forwarded message from Bill Stewart
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:
Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about issues with nonces, counters, IVs, chaining modes, and all that, you see that saying that it's tetchier than that is a warning indeed.
You have the same issues with nonces, counters, etc. with symmetric crypto so I don't see how that makes it preferable over public key crypto.
At 12:57 AM 9/7/2013, ianG wrote:
It's a big picture thing. At the end of the day, symmetric crypto is something that good software engineers can master, and relatively well, in a black box sense. Public key crypto not so easily, that requires real learning. I for one am terrified of it.
Public-key crypto requires learning math, and math is hard (or at least ECC math is hard, and even prime-number-group math has some interesting tricks in it.) Symmetric-key crypto is easy in a black-box sense, because most algorithms come with rules that say "You need to do this and not do that", yet the original PPTP did half a dozen things wrong with RC4 even though the only rule is "never use the same state twice." But if you want to look inside the black box, most of what's there is a lot of bit-twiddling, maybe in a Feistel network, and while you can follow the bits around and see what changes, there can still be surprises like the discovery of differential cryptanalysis. Public-key crypto lets you use math to do the analysis, but [vast over-simplification] symmetric-key mostly lets you play around and decide if it's messy enough that you can't follow the bits. But there are other traps that affect people with either kind of system. Once PGP got past the Bass-o-matic stage, the biggest security problems were mostly things like variable-precision numbers that were trying so hard to save bits that you could trick the program into interpreting them differently and accepting bogus information. Fortunately we'd never have problems like that today (yes, ASN.1 BER/DER, I'm looking at you....), and nobody ever forgets to check array bounds (harder in modern languages than in C or Fortran, but still quite possible), or fails to validate input before using it (SQL injections), etc. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5