[146831] in cryptography@c2.net mail archive
Re: [Cryptography] Why prefer symmetric crypto over public key
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Sun Sep 8 13:29:56 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <522C8D9D.1090601@sonic.net>
Date: Sun, 8 Sep 2013 13:06:19 -0400
To: Ray Dillinger <bear@sonic.net>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 8, 2013, at 10:45 AM, Ray Dillinger wrote:
>> Pairwise shared secrets are just about the only thing that scales
>> worse than public key distribution by way of PGP key fingerprints on
>> business cards. ....
>> If we want secure crypto that can be used by everyone, with minimal
>> trust, public key is the only way to do it.
>>
>> One pretty sensible thing to do is to remember keys established in
>> previous sessions, and use those combined with the next session.
>
> You've answered your own conundrum!
>
> Of course the idea of remembering keys established in previous
> sessions and using them combined with keys negotiated in the next
> session is a scalable way of establishing and updating pairwise
> shared secrets....
It's even better than you make out. If Eve does manage to get hold of the Alice's current keys, and uses them to communicate with Bob, *after the communication, Bob will have updated his keys - but Alice will not have*. The next time they communicate, they'll know they've been compromised. That is, this is tamper-evident cryptography.
There was a proposal out there based on something very much like this to create tamper-evident signatures. I forget the details - it was a couple of years ago - but the idea was that every time you sign something, you modify your key in some random way, resulting in signatures that are still verifiably yours, but also contain the new random modification. Beyond that, I don't recall how it worked - it was quite clever... ah, here it is: http://eprint.iacr.org/2005/147.pdf
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
