[tptacek]

Argh.

First, RSA is about factoring composites.

Second, factoring those composites at popular key sizes isn't impossible.

Third, public-key algorithms are much harder to get right; they involve direct mathematical operations on plaintexts and devolve to well-studied math problems much more readily than symmetric ciphers do.

You should absolutely avoid public-key crypto, including public-key key agreement schemes like Diffie-Hellman, if your needs don't absolutely require them.

[betterunix]

You left out speed. The reason we do not use PKE exclusively is that we do not want to wait a week to encrypt a megabyte of plaintext. In fact, it is not so much that PKE is what is slow; rather it is that theoretical constructions, which are the only thing we have for PKE but which also exist for symmetric ciphers, hash functions, etc. are slow.

Also, while PKE is sensitive to implementation issues and parameter choices, you can have much higher assurance that there are no theoretical weaknesses than you can have with something like AES. With PKE you usually have a proof that the security of the system depends on the hardness of one problem, regardless of the specific attack strategy the adversary uses. We do not say that ElGamal is secure against chosen plaintext attacks because we ran a battery of tests designed to detect vulnerabilities to particular CPA strategies; we say it is secure because we can prove that any CPA attack on ElGamal can be used to solve the DLOG problem, and so we only really have to worry about the lower bound on solutions to one problem. With something like AES we only test for certain attack strategies and a few general heuristics that suggest a block cipher is secure.

This is not to say that AES is not secure, nor that PKE is a magic bullet.

[tsahyt]

Besides, symmetric schemes tend to perform better. Hence the idea of using a public-key scheme like DH for key exchange and then switch to symmetric crypto like AES.

Always avoiding public-key isn't really possible unless you have some sort of secure channel to agree on a key for some communication. But then again, if you have that channel, you might just as well communicate through that.

When encrypting files locally though, there is absolutely no reason I can think of to use public-key cryptography.

[dllthomas]

> When encrypting files locally though, there is absolutely no reason I can think of to use public-key cryptography.

So that you don't lose your decryption key just because your computer was encrypting when it was seized?

Of course, if the weaknesses are sufficient, then that's irrelevant, but it's certainly "a reason".

[anoncowherd]

> You should absolutely avoid public-key crypto, including public-key key agreement schemes like Diffie-Hellman, if your needs don't absolutely require them.

Is there an alternative to public-key crypto? We all need to do stuff online.

[tptacek]

Sure there is: pre-shared keys, exchanged out-of-band.

[strlen]

This works if physical contact is available and parties are trusted (even the weakest literal reading of fourth amendment says "right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures," -- exchanging a key token counts as such).

Yet what of basic online communications where key-exchange is necessary and where we have very little say about the protocols involved?

[anoncowherd]

You probably know what I was getting at. Public-key crypto is very important in today's world. If we can't use the current system, we need something to replace it. Pre-shared keys is for a different scenario.

[tptacek]

You are missing both Schneier's point and mine. The point is that if you can contrive of a way to (perhaps inconveniently) pre-share static keys, you should consider doing that instead of relying on number theory to protect your secrets.

[anoncowherd]

> The point is that if you can contrive of a way to (perhaps inconveniently) pre-share static keys, you should consider doing that instead of relying on number theory to protect your secrets.

No I got that just fine. As you know, I'm suggesting that not using public-key crypto or something else for the same purpose is impractical.

[glurgh]

Nerdnit, but it's not like AES is based on some wholesome certified organic granola theory to the exclusion of number theory. Number theory didn't wait around 2+ millennia to be useful only to be dissed like that, man!

[lacksconfidence]

and you are conveniently missing his point. If we were to throw away public key technology today and say 'Only pre-shared keys' some significant portion of the internet would simply be unencrypted. What do we do about that?

[mullingitover]

We could all start swapping 1TB drives full of random noise. One-time pads are mathematically proven to be unbreakable if implemented correctly.

[vidarh]

> We could all start swapping 1TB drives full of random noise.

This is "sort-of" what I've come to think Miranda was facilitating for Greenwald - it makes little sense that the purpose was for him to mainly carry documents, as while the documents would be more secure if he was not stopped vs. transferring them via the internet, they would have had to consider the possibility that he might be.

But if you pass along a lot of random data, then if it never leaves your possesion, you can be reasonably sure that that data can be safely used as a source for one time pads or keys. If it gets intercepted, then so what? You just ignore that batch of data even if it is handed back to you.

[dllthomas]

This would be doubly interesting, as it would mean the key he was carrying for the one file would be a smoke screen of sorts.

Of course, with UK law saying they can detain you indefinitely until you hand over your keys if they think a file is encrypted, that might not be a good move... though obviously in retrospect they didn't make use of that here.

[eruditely]

Is PGP included as an insecure standard as you mention? It used a combination, so is it safe?