[cryptography] Why using asymmetric crypto like symmetric crypto isn't secure

Jon Callas jon at callas.org
Sun Nov 4 16:57:30 EST 2012

Hash: SHA1

On Nov 3, 2012, at 7:03 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> Jon Callas <jon at callas.org> writes:
>> Which immediately prompts the question of "what if it's long or secret?" [1]
>> This attack doesn't work on that.
> The "asymmetric-as-symmetric" was proposed about a decade ago as a means of
> protecting against new factorisation attacks, and was deployed as a commercial
> product.  I don't recall them keeping the exponent secret because there wasn't
> any need to... until now that is.  So I think Taral's comment about not using
> crypto in novel ways is quite apropos here, the asymm-as-sym concept only
> protected you against the emergence of novel factorisation attacks (or the use
> of standard factorisation attacks on too-short keys) as long as no-one
> bothered trying to attack the public-key-hiding itself.

Point taken. I'm being too grumpy. 

I think this is a brilliant result because it gives us a "see, see" reference to give to people.

I'm big on sneering at proofs of security because they often do not relate to real security in the real world in ways that upset me (a guy whose degree is in mathematical logic) to my core. If you want the same sort of rigor that math has, security is useless.

On the other hand, and Hal Finney drove this home to me many times, they do tell you what sort of things you can ignore. 

This one is great because of the way it slaps intuition around.

>> If you believe that the only attack against RSA is factoring the modulus,
>> then you can be seduced into thinking that hiding the modulus makes the
>> attacker's job harder. 
> Yup, and that was the flaw in the reasoning behind the keep-the-public-key-
> secret system.  So this a nice textbook illustration of why not to use crypto
> in novel ways based purely on intuition.

There are all sorts of things people do based on an intuition. Hell, I've done them. Sometimes they just present themselves. If I had a protocol that didn't expose public keys (suppose they're all wrapped in a secure transfer), I might point out that hey, this system has hidden RSA keys. But this points out that unless there is a lot of extra work you do, you didn't do squat. It also suggests that the conservative engineering approach, which is to say that unless you can characterize added security it's just fluff, has new backing in fact.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list