[Cryptography] Why prefer symmetric crypto over public key crypto?

Eugen Leitl eugen@leitl.org
Sat Sep 7 04:00:56 PDT 2013 

----- Forwarded message from "Marcus D. Leech" <mleech@ripnet.com> -----

Date: Fri, 06 Sep 2013 23:51:49 -0400
From: "Marcus D. Leech" <mleech@ripnet.com>
To: cryptography@metzdowd.com
Subject: Re: [Cryptography] Why prefer symmetric crypto over public key crypto?
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8


> 
> The magic of public key crypto is that it gets rid of the key
> management problem -- if I'm going to communicate with you with
> symmetric crypto, how do I get the keys to you? The pain of it is
> that it replaces it with a new set of problems. Those problems
> include that the amazing power of public-key crypto tempts one to
> do things that may not be wise.
> 
I find public-key cryptography to be full of "dirty little secrets".
Some of the notions inherent in public-key *infrastructure* are, on
the face of them,
  preposterous.  Consider the notion of a certificate authority.  I am
to trust some third party (the CA) that I've never met, and have not
the slightest
  reason to trust, is able to make a "believable" assertion about the
identity (and corresponding public-key binding), of some *other* party
I've never
  met, and have no real reason to trust.  It always struck me as
another instance of "there's no problem in CS that can't be solved by
adding another
  layer of abstraction".   I think this is an instance of a general
problem with digitally-signed documents of all kinds: confusion about
exactly what they
  are--a signature on a document (like a certificate) says nothing
about the *essential truth* of the statements contained within the
document.
  When SlushySign issues a certificate for "www.crowbars-r-us.com",
there's a subtle distinction between "we believe this to be the
appropriate binding
  between this public-key, and an entitity known as
www.crowbars-r-us.com"  and "this really is the binding between this
pubic-key, and the entity you
  all know as www.crowbars-r-us.com".

I started thinking about the "essential truth" problem back when the
whole TPM thing was popular, and proponents were talking as if the
digital
  signature of a computer stating that it was "sane" was somehow the
same is said computer actually being "sane".   Absent independent
verification,
  there's no way to distinguish a strongly-signed "lie" from a
strongly-signed "truth".   That isn't necessarily a problem that's
confined to PK systems.
  Any digital-signature scheme has that problem.


The other thing that I find to be a "dirty little secret" in PK
systems is revocation.  OCSP makes things, in some ways, "better" than
CRLs, but I still
  find them to be a kind of "swept under the rug" problem when people
are waxing enthusiastic about PK systems.

However, PK is the only pony we've managed to bring to this circus,
so, we we "make do" with making the "dirty little secrets" as
inoffensive as we can.

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the cypherpunks mailing list