[cryptography] Compositing Ciphers?

Nico Williams nico at cryptonector.com
Sat Sep 7 03:50:23 EDT 2013

We have a purely (now mostly) all-symmetric key protocol: Needham-Schroeder
-- Kerberos.  Guess what: it doesn't scale, not without a strong dose of PK
(and other things).  Worse, its trusted third parties can do more than
MITM/impersonate you like PKI's: they get to see your session keys (unless
you add PFS, of course).  For PFS you need assymetric crypto.  To scale you
need asymmetric crypto *and* trusted third parties.  To communicate at all
you need peers to communicate with, peers who can turn on you, or just
plain screw up, or get conned.  Square #1, how well we know thee.
 Symmetric-only crypto isn't the answer, and evidently neither is PK
crypto.  With or without crypto, our problems are human problems.

A combination of PK and symmetric crypto is the best we can do in a
classical world, and transitive trust is the only way to scale to billions
(or even just a few tens of thousands) of people.  All of which means that
there will always be some degree of insecurity, as it always was before the
modern era, and as it has to be.  Because we have free will.  I don't know
what a post-quantum number factoring world will look like... a bit bleak I
guess, at least for a while, but hardly much bleaker than much of the past
one hundred years.

BTW, if it's the PRISMs that animate you: that is the land of politics;
and crypto is not the answer you seek, it's just a tool.   A tool that
might play a bi[tg] part in debates and their outcomes, but still, just a
tool, not a panacea.

[In theory Kerberos with hierarchical and web of trust could scale.   No
one has attempted to scale it past a few .EDUs and a few .MILs,.  With
PKINIT and PKCROSS -- bridges to PK[I] -- and "trust routing" it could
scale, and it'd then have roughly the properties PKI could have / should
have had with OCSP done right (i.e., stapled, and from the get-go).
 Kerberos still has a long life ahead of it in corporate and university
networks, I'm fairly certain of that.  But without PK it can't scale to
Internet scale.  I don't think any other all-symmetric key cryptographic
protocols can do better than Needham-Schroeder.]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130907/e6cc00ca/attachment.html>

More information about the cryptography mailing list