[146801] in cryptography@c2.net mail archive
Re: [Cryptography] Why prefer symmetric crypto over public key
daemon@ATHENA.MIT.EDU (John Kelsey)
Sun Sep 8 02:51:55 2013
X-Original-To: cryptography@metzdowd.com
From: John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <025701ceac00$07d77020$17865060$@huitema.net>
Date: Sat, 7 Sep 2013 22:51:11 -0400
To: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============4164636898674409715==
Content-Type: multipart/alternative;
boundary=Apple-Mail-32281A38-59D6-479E-A7D9-7A0DE1C763BD
Content-Transfer-Encoding: 7bit
--Apple-Mail-32281A38-59D6-479E-A7D9-7A0DE1C763BD
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
On Sep 7, 2013, at 3:25 PM, "Christian Huitema" <huitema@huitema.net> wrote:=
> Another argument is =E2=80=9Cminimal dependency.=E2=80=9D If you use publi=
c key, you depend on both the public key algorithm, to establish the key, an=
d the symmetric key algorithm, to protect the session. If you just use symme=
tric key, you depend on only one algorithm.
>=20
> Of course, that means getting pair-wise shared secrets, and protecting the=
m. Whether that=E2=80=99s harder or more fragile than maintaining a key ring=
is a matter of debate. It is probably more robust than relying on CA.
Pairwise shared secrets are just about the only thing that scales worse than=
public key distribution by way of PGP key fingerprints on business cards. T=
he equivalent of CAs in an all-symmetric world is KDCs. Instead of having t=
he power to enable an active attack on you today, KDCs have the power to ena=
ble a passive attack on you forever. If we want secure crypto that can be u=
sed by everyone, with minimal trust, public key is the only way to do it. =20=
One pretty sensible thing to do is to remember keys established in previous s=
essions, and use those combined with the next session. For example, if we d=
o Diffie-Hellman today and establish a shared key K, we should both store th=
at key, and we should try to reuse it next time as an additional input into o=
ur KDF. That is, next time we use Diffie-Hellman to establish K1, then we g=
et actual-key =3D KDF(K1, K, other protocol details). That means that if ev=
en one session was established securely, the communications are secure (up t=
o the symmetric crypto strength) forevermore. =20
> - -- Christian Huitema
--John=
--Apple-Mail-32281A38-59D6-479E-A7D9-7A0DE1C763BD
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><span style=3D"-webkit-text-size-adjust: au=
to; background-color: rgba(255, 255, 255, 0);"><br>On Sep 7, 2013, at 3:25 P=
M, "Christian Huitema" <<a href=3D"mailto:huitema@huitema.net" x-apple-da=
ta-detectors=3D"true" x-apple-data-detectors-type=3D"link" x-apple-data-dete=
ctors-result=3D"1">huitema@huitema.net</a>> wrote:<br><br></span><blockqu=
ote type=3D"cite"><font color=3D"#000000"><span style=3D"-webkit-text-size-a=
djust: auto; background-color: rgba(255, 255, 255, 0);">Another argument is =E2=
=80=9Cminimal dependency.=E2=80=9D If you use public key, you depend on both=
the public key algorithm, to establish the key, and the symmetric key algor=
ithm, to protect the session. If you just use symmetric key, you depend on o=
nly one algorithm.<br></span></font></blockquote><blockquote type=3D"cite"><=
font color=3D"#000000"><span style=3D"-webkit-text-size-adjust: auto; backgr=
ound-color: rgba(255, 255, 255, 0);"><br></span></font></blockquote><blockqu=
ote type=3D"cite"><font color=3D"#000000"><span style=3D"-webkit-text-size-a=
djust: auto; background-color: rgba(255, 255, 255, 0);">Of course, that mean=
s getting pair-wise shared secrets, and protecting them. Whether that=E2=80=99=
s harder or more fragile than maintaining a key ring is a matter of debate. I=
t is probably more robust than relying on CA.<br></span></font></blockquote>=
<span style=3D"-webkit-text-size-adjust: auto; background-color: rgba(255, 2=
55, 255, 0);"><br>Pairwise shared secrets are just about the only thing that=
scales worse than public key distribution by way of PGP key fingerprints on=
business cards. The equivalent of CAs in an all-symmetric world is KD=
Cs. Instead of having the power to enable an active attack on you toda=
y, KDCs have the power to enable a passive attack on you forever. If w=
e want secure crypto that can be used by everyone, with minimal trust, publi=
c key is the only way to do it. <br><br>One pretty sensible thing to d=
o is to remember keys established in previous sessions, and use those combin=
ed with the next session. For example, if we do Diffie-Hellman today a=
nd establish a shared key K, we should both store that key, and we should tr=
y to reuse it next time as an additional input into our KDF. That is, n=
ext time we use Diffie-Hellman to establish K1, then we get actual-key =3D K=
DF(K1, K, other protocol details). That means that if even one session=
was established securely, the communications are secure (up to the symmetri=
c crypto strength) forevermore. <br></span><br><blockquote type=3D"cit=
e"><font color=3D"#000000"><span style=3D"-webkit-text-size-adjust: auto; ba=
ckground-color: rgba(255, 255, 255, 0);">- -- Christian Huitema</span></font=
></blockquote><br><div>--John</div></body></html>=
--Apple-Mail-32281A38-59D6-479E-A7D9-7A0DE1C763BD--
--===============4164636898674409715==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4164636898674409715==--