Trustworthy contacts

David Howe ukcrypto at maillist.ox.ac.uk
Thu, 14 Sep 2000 14:17:58 +0100 

Owen Lewis <oml@eloka.demon.co.uk> wrote:
> Interesting. Certainly one is never in a hierarchical relationship with
> customers. Yet PKI offers little of especial for some such relationships.
It solves the hard Key Distribution problem - if you wish to communicate
securely with a customer, having to courier keymat (at your expense) to that
customer before you can set up the link is prohibitively expensive;
exchanging (or better yet, negotiating) a key using PK is cheap and
effective.

> All one's customers need to communicate securely to one as the provider of
a
> confidential service; they *never* need to communicate securely with each
> other.
  That preassumes you exist in a vaccum - that each customer is content to
trust your specialised software to run on their machine, is happy to have
one package per supplier with a different interface for each one, and won't
complain about transferring data between different packages.
  By contrast, each customer will be the customer of more than one company,
and may in fact BE a supplier to other customers further down the chain or
for different fields. It makes more sense in many ways for you to use a
system that allows each node to be both supplier and customer, even if the
ability to be a supplier is never tested.

> One needs to hold discrete keys for all one's customers. They only
> need to hold the one key to communicate to you. If they lose of mismanage
> that key, they can only compromise the security/integrity of information
of
> importance to them.
however, if they lose or mismanage a PK encryption key, they compromise
nothing - and if they mismanage their decryption key, they reveal only half
of the traffic. Your point was?

> Use ephemeral keys and the damage is (should be) very
> limited, even if the compromise is at the communications hub. The
'supplier'
> provides the cipher system and seed keys to those that need them. After
> seeding, the cryptosecurity is entirely transparent to the users unless
the
> link ever needs re-seeding. Seeding and re-seeding can only be initiated
> from the hub and then only with authorisation.
I fail to see why using ephemeral keys would grant Symmetric encryption any
great favour. Unless the keys are from a seeded PRNG (with the inevitable
sync problems and analysis risks) you will have to negotiate the keys
somehow.  Almost everyone can see the advantages of a hybrid approach
(ephemeral key negotiation or true-random generation, with ephemeral key
transfer protected by an outer wrapper) but that doesn't grant any
advantages to symmetric encryption for the wrapper.

> I think there is a distinction between, on the one hand, securing the
> transfer of monetary value and assuring  identity and, on the other hand,
a
> continual flow of confidential information between trading partners. PKI
has
> advantages for the former, especially in the b-to-r sector. They do not
> offer the same unique advantages in the latter case.
I can't see a difference with this (particularly from the Hybrid approach).
Yes, for established partners, you can spare the time to manually transfer
the seed, symmetric key, PK key or other required keying data in a secure
manner - but can't see how using a symmetric key or seeded PRNG which MUST
be protected at all costs is better than a PK decryption key which must be
similarly protected - and can see why PK would mean any given decryption key
would only have to be protected at ONE END of the link, and limited to a
single key per node in a mixed supplier / purchaser network, regardless of
the number and direction of the channels in that network