5

Something very simple: most of us communicate most of the time with people we already know. Alice and Bob probably have physical contact, too. Yes, there are cases when whistle-blowers want to contact journalists for the first time, but that’s not the problem situation for most of us.

Symmetric encryption therefore is appropriate and simpler than asymmetric – one key instead of four for Alice and Bob. But how do you share the secret key? You tell them in person, read it over the phone, use a One Time Secret or Diffie-Hellman.

Have I missed something? Or is encryption (to protect stuff in transit) just really easy?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Peter
  • 987
  • 2
  • 9
  • 12
  • Do not confuse protecting stuff in transit with end-to-end encryption. TLS/HTTPS protects stuff in transit, but messages are stored *en claire* on mail provider's servers. The *only* encryption that's (mostly) safe from snooping is that which is applied before a message leaves the sender's machine and reversed only on the recipient's machine. The *only* safe crypto key is one you have generated yourself. – Bob Brown Dec 17 '14 at 12:39
  • 3
    Isn't the asymmetric encryption mainly used to transmit a temp key for symmetric encryption? Also, do you think you can accurately read/write 4,000 1's and 0's? – Lawtonfogle Dec 17 '14 at 16:30
  • 3
    Both symmetric and asymmetric encryption have their use cases. Moreover, asymmetric encryption in most practical senses rely on symmetric encryption, because encrypting asymmetrically anything bigger than a symmetric encryption key is too slow. So yes, when symmetric encryption is appropriate, by all means use it. Otherwise there is asymmetric encryption option when you need it. (There are a few examples why one might want it in the answers) – Andrew Savinykh Dec 17 '14 at 21:45
  • 3
    Do *not* read the secret key over the phone. Your phone is most likely not secure. – PiTheNumber Dec 18 '14 at 08:06
  • @PiTheNumber especially when it was a gift from Eve :) – Mirco Dec 18 '14 at 08:54
  • @BobBrown I am talking about end-to-end encryption. The system I use is this: http://prgomez.com/ursa/ – Peter Dec 18 '14 at 09:50
  • @Lawtonfogle It is possible to have 80+ bits of entropy using 16 single case alphanumeric passphrase characters. – Peter Dec 18 '14 at 09:54
  • @PiTheNumber Most of us are not specifically targeted for surveillance. The purpose of encrypting email is usually so that it can’t be snooped while in transit and that the contents of our messages aren’t stored by Google, etc. – Peter Dec 18 '14 at 10:08
  • 2
    @Peter Sorry to wake you up, but we all are specifically targeted for surveillance. Google "Full Take". Today's surveillance targets everybody, everywhere at anytime. But you are right you can not protect yourself from those kind of attacker. I was not talking about "them". GSM is broken, DECT is broken, land lines are not encrypted, so why would you think your phone call is secure? Everybody can listen to your calls if he likes to. – PiTheNumber Dec 18 '14 at 12:44
  • 1
    So ~800 characters over the phone? Still very unpleasant. – Lawtonfogle Dec 18 '14 at 14:28
  • @Lawtonfogle Determined by dice fk5r qzf6 0kwp k8ym and over 82 bits of entropy. Easy to read over the phone. – Peter Dec 18 '14 at 14:42
  • @Peter So you would trust your encryption to 82 bits? Also note, that even while computers get faster, it doesn't get easier to exchange this information with someone else. Since the ability to break the encryption scales faster than the ability to increase encryption strength, this method will only get weaker. – Lawtonfogle Dec 18 '14 at 16:31
  • @PiTheNumber It's a bit ironic to tell someone to *Google* material relating to online privacy concerns, don't you think? – Superbest Dec 18 '14 at 23:10
  • @Lawtonfogle According to Wikipedia http://en.wikipedia.org/wiki/Password_strength a 72 bit password takes some 124 years to crack, so 82,72 bits seems safe enough for some time to come. And I don’t think breaking the encryption in my emails is at the top of the NSA’s list of priorities. – Peter Dec 19 '14 at 10:06

10 Answers10

32

If you talk to 1000 persons and use pre-shared symmetric keys, then you have to remember 1000 secret keys. Secret key storage can be hard. With asymmetric encryption you just have to remember only public keys, and that is easy because public keys are public, so they can be "remembered" by being published somewhere, where everybody can see them.

Moreover, you talk to machines more often than you talk to persons. In particular every time you visit an "https://" Web site. How would you, precisely, read a key over the phone with a server ? It is a machine, it has no voice that you would recognize.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I’m only talking about person-to-person email. Don’t need encrypted email with 1000 people – under 20 people. Saving keys is easy in an encrypted text file. (1000 private keys would not actually be a problem) We can “delete” (i.e. render unreadable to everyone) old messages by deleting the keys and agreeing new ones with the correspondent. – Peter Dec 17 '14 at 12:09
  • 21
    @Peter Then I'd suggest that you've restricted yourself to a particularly trivial use case and the solution proposed is not generally applicable beyond that use case. So, you've solved a problem that doesn't exist in practice. – Xander Dec 17 '14 at 19:50
  • 2
    @Xander Person-to-person messages are a fairly important use case, and this would work for any kind of person-to-person message. The main issue isn't that it doesn't work for human-to-machine communication, it's that you have to have different keys for everybody. – cpast Dec 18 '14 at 00:27
  • @Xander For me my person-to-person email is not trivial, and I guess many others feel the same about their email correspondence. What I need to communicate with my non-technologically minded correspondents is a simple system of encryption which we can all understand. – Peter Dec 18 '14 at 10:21
  • @Peter: "simple system of encryption which we can all understand" You will have to tell us which system fulfills this criterion - do you think that, for example, [Triple DES](http://en.wikipedia.org/wiki/Triple_DES), which *is* a symmetric algorithm, fulfills it? – Jean Hominal Dec 18 '14 at 14:46
  • @JeanHominal This is the best I have found to date: http://prgomez.com/ursa/ – Peter Dec 18 '14 at 14:53
  • 1
    @Peter: As far as I see, the site you linked is asymmetric encryption - Alice creates a key pair and sends the public part to people who wish to send him messages, and Bob uses the public key to create messages that only Alice can decrypt. So, it appears that asymmetric encryption can be made simple enough for your purpose. – Jean Hominal Dec 18 '14 at 14:58
  • @JeanHominal The site can do both. But my experiments with several people have shown me that non-technical people can’t handle asymmetric encryption, and even getting them to use symmetric encryption properly is a struggle. (I had to give up on having people use Diffie-Hellmen to devise a symmetric key and look for other semi-safe methods of sharing the key – hence my discovery of onetimesecret.) – Peter Dec 19 '14 at 09:37
26

I think you're underestimating the value of contacting someone you've never talked to before, and you're overestimating the complexity of a public-key system.

Any time you want to contact someone new using symmetric encryption, you have to "tell them [the shared key] in person, read it over the phone, use One Time Secret," etc. You have to contact the person over the phone or in person before you can contact them online, which seems to put a serious dent in the utility of encrypted communication. For public key crypto, the keys can be published online in a public repository (or, even better, many online repositories), eliminating this disadvantage. (Analogously, consider a world where it's impossible to build a public telephone book or pass along a phone number to a friend: in order to call someone, you must first meet them in person to add them to your private phone book.)

Note that, when using public key crypto, in order to link a key to a personal identity, you still need out-of-band communication (e.g., key signing parties), but the major advantage is that you can build a public web of trust. If Alice wants to send a message to Bob, she can inspect the work for dozens of others who have already met Bob in person. There is no need for her to call Bob on the phone before emailing, because she has access to his public key and access to many public cryptographic attestations of the validity of the { key, identity } pairing she found for Bob. (Hopefully some of these attestations come from someone she trusts, or someone who is trusted by someone she trusts.)

You say that:

Symmetric encryption therefore is... simpler than asymmetric – one key instead of four for Alice and Bob.

But the number of actual keys is not strictly relevant: we should instead consider the number of keys needed by each party. Each party in public-key crypto has to manage

  1. their own private key,
  2. their own public key, and
  3. one public key for each person they want to contact.

Suppose there are n people who communicate with one another. In your imagined symmetric system, the number of keys held by each party is n-1 (one key for each other person). In an asymmetric system, the number of keys held by each party is (n-1)+2 => n+1 (one key for each other person, plus your own keypair). Assuming a large number of participants n, that's not a significant difference at all. (In amortized terms, they're both O(n).)

apsillers
  • 5,770
  • 27
  • 33
12

The problem that asymmetric encryption solves is that it retains control over who can and can't sign/encrypt messages.

Suppose you have a symmetric key K. Alice, Bob, and Eve share this key K so that they can all trade encrypted messages. However, Eve gives a copy of K to Mallory (who has malicious intent) without telling anyone. Now the entire network has been compromised, and Mallory can send and read messages as any other member.

If instead, Alice, Bob, and Eve each had their own private keys A, B and E respectively (with public keys A+, B+ and E+), then when Mallory gets ahold of E, all she can do is read messages intended for Eve, and send messages that it looks like Eve encrypted. We go from a situation in which Eve has compromised the entire network, to a situation where Eve's poor choice only affects messages to/from her.

If you could completely trust all people, then symmetric cryptography would be enough. However, if you could completely trust all people, then you'd be able to send plaintext. ;)

Ryan Kennedy
  • 461
  • 3
  • 9
  • You are right, and in practice your argument is relevant to where symmetric encryption is being used by a political group (e.g. peace activists), and the group contains a police informer. So far for me it is a case of one correspondent, one key. But I can see that problems would arise for a group email. – Peter Dec 18 '14 at 10:40
  • 1
    This is a strawman of the symmetric system. Alice and Bob could have key K1, Bob and Eve could have key K2, Alice and Eve can have key K3. Then if Mallory gets K3, she can still only intercept Alice/Eve communication, nothing else. Group messages can be handled by sending copies encrypted separately. Proving identity of sender is a separate matter entirely from encryption of the text. – Superbest Dec 18 '14 at 23:21
  • Whoops, you're completely right. However, then you have to keep track of _n_ private keys instead of (_n_-1) public keys and 1 private. @thomas-pomin's answer properly explains this; it deserves the upvotes that my answer got. – Ryan Kennedy Dec 19 '14 at 00:26
4

First of all, encryption is made in a way that everyone can use it and only because of you don't need the advantages of private/public key methods doesn't mean it is like this for anyone else. Imagine a person in a country with strong surveillance - he won't be able to get a symetric key in a safe way, but getting a public key is no problem because everyone is allowed to see it.

Another big benefit of asymetric encription is that (in most cases) you can additionally sign your own texts, so you can prove that the message is really from you and it has not been altered on it's way through the internet.

Additional Information

A webservice (onetimesecret for example) is never a good idea to use. You don't really know what is happening with your data, you don't know if it is really safe and I would guess if an agency wanted to look at your 'secret' they wouldn't have too much trouble doing so.

Tokk
  • 1,348
  • 7
  • 10
  • Especially noteworthy for questioning the web service. Sure, today, you may trust them (I wouldn't). But if they're not your web service, how would you know if they've been compromised? – Smithers Dec 17 '14 at 19:01
  • @Tokk I am not saying that there are not cases where asymmetric encryption is not the better alternative, but merely that there are cases when it is not. I live in a state where the police are heavy-handed and intrusive, but the political system is far from totalitarian. (BTW Where life and death is at stake, I wouldn’t trust onetimesecret either, but unless you are personally being targeted by security services, it will do.) – Peter Dec 18 '14 at 10:48
  • Creating a public key is easy. Exchanging them securely, is not. Even though public key isn't meant to be a secret, if you send the public key over insecure channel, you will have no assurances that your adversary didn't just catch the public key in transit and replaced it with their own. – Lie Ryan Dec 19 '14 at 00:46
2

A couple things make it obvious that you don't understand the subject deeply. First and foremost, the javascript library you mention implements RSA, which is asymmetric encryption. Diffie-Hellman is a key sharing scheme that uses asymmetric encryption to share a secret key which is then used for symmetric encryption. You're not avoiding asymmetric encryption with either of those suggestions.

Generally speaking, asymmetric encryption is ill suited to "messages" in the way we, as users, think of messages. First of all, it's strictly size-limited. You can never safely transmit a message over the size allowed by the encryption scheme, where a symmetric cipher allows messages of arbitrary length. Typically, you will use asymmetric encryption as a method to verify identity and as a means of key exchange with a new contact, and it's far better suited to these roles than symmetric encryption is.

Ultimately, a fully functional secure communication system will use asymmetric encryption in concert with symmetric encryption, each to their strengths. One assumes that your issue here is brought up by a minimal understanding of a system like PGP, and the fact that it incorporates asymmetric encryption for protecting email communications. But, if you look closely at the diagram on the wikipedia page, you can see that it's only using public key crypto to encrypt a private key which is used to symmetrically encrypt/decrypt the email message.

Jason
  • 1,907
  • 2
  • 10
  • 15
  • You are absolutely right: I don’t understand the subject deeply. That’s why I am trying to provoke a response from people here so I can learn. And others can too by reading this page. – Peter Dec 18 '14 at 11:00
2

A very fun fact is: When using Asymmetric encryption based system, you are mostly using Symmetric encryption ! (It's not mandatory of course, but it would be useless without Symmetric encryption because slow and not as secure (...) ).

==> The Asymmetric part is just used to exchange the Symmetric key !

So, if you have no problems exchanging the key:

  • Per person/computer (and you trust that the person is the one she's pretending to be, and the way you do it is secure, ... and other stuff already explained)
  • Few hundred random characters long key --> Excessively important (You wouldn't dare use an easily bruteforce-able key, wouldn't you ?)
  • Different key each time --> Very important also ... (you never know ;)

Then, if those are not a problem, then sure, it's exactly the same to use only Symmetric encryption... (and if it is a problem then you'll have your answer on "why are we using Asymetric ?" ;)

Edit: Actually it's not exactly the same (as mentioned in comments). For exemple in a conversation between Alice and Bob, you'll have no proof (in a courtroom) on who wrotes the message (was it Alice or Bob ?).

Nabodix
  • 21
  • 2
  • Actually, it's not _quite_ the same. As mentioned by another answer, digital signature is impossible with symmetric encryption. All digital signature schemes rely on asymmetric encryption since, by definition, symmetric encryption requires that anyone who can decrypt the message can also encrypt it. Asymmetric encryption, on the other hand, ensures that a message decrypted with a given public key could only possibly have been encrypted by someone in possession of the private key. – reirab Dec 18 '14 at 16:56
  • Good point ! I've not mentionned it because, digital signature doesn't seem to be the concern. And, beside, if we have *one* key per each different communication/email/... (and that all secure conditions are fullfiled, which is **not** easy) we can be pretty confident of who has wrote the message. – Nabodix Dec 18 '14 at 17:17
  • You can, but you can't, for example, prove in a court of law that the other person sent it as opposed to you creating it yourself (since you obviously have to also have the key.) In other words, non-reputability can't be supplied by symmetric key encryption. – reirab Dec 18 '14 at 17:23
  • 1
    You got me. It's not *quite* the same indeed. (I'm editing my answer accordingly right away ;) Thx! – Nabodix Dec 18 '14 at 17:53
1

Messages themselves are protected with symmetric key encryption, but the key is shared using asymetric encryption. The Javascript library you cited implements RSA. It, like DH, is an asymmetric key encryption algorithm that is just used to establish a single shared key for protecting the message or session.

Here's why you asymmetric key encryption is valuable:

1: I don't need to talk to you out-of-band before I talk to you securely
1a: Think of the hundreds or thousands of web domains you access daily, and imagine if you had to phone each one (overseas long-distance rates apply) and read off long strings of numbers and letters and hope you don't balls-up the transcription
2: If a key is compromised, I have to call the person or persons who have access to it and read them the new key
3: Who is vouching for me? How do you know I am legit? With PKI, you have a hierarchy of trust. Someone says I am who I claim to be and that I am not malicious, and is staking their reputation on it
4: How do I prove the message has not been changed in-transit? I can't sign it in a way that proves it
5: If I am a website with a million customers, do I REALLY want to store and track a million private keys? What if interacting with me is anonymous? How do I determine which private key to use?
6: C'mon, don't assume crypto is easy. RSA and DH and ECDH came about because it is really hard, and these take it from sucking to being manageable.

And for the person who will be offended from my tone, I am on leave and don't care

DTK
  • 1,190
  • 7
  • 8
0

Other answers have already covered the important specifics of why various encryption approaches have value, but ultimately, the answer to the question asked:

"Why not use symmetric encryption (for email with a known party)?"

is that one-size does not fit all. The choice of encryption methods, ciphers, algorithms all depend on the threat model you wish to protect against. Symmetric encryption is very useful for what it does, but mis-using it will negate any protection it could offer.

Why is Alice encrypting information to Bob? Who doesn't she want to read it? (Confidentiality) Does she want to prove it was she who sent it? (Authenticity) Does she care if only Bob gets to read it, or is it ok if Bob gives the key to someone else? How about the admin of Bob's machine for storage of the data at rest?

JesseM
  • 1,902
  • 10
  • 9
0

You're missing the property called forward secrecy.

In a private system, I share a key with Alice. Suppose Alice is raided by the Stasi and they seize a computer which has the key. They can then use that key to decrypt all the messages we have ever exchanged!

In a public key system, I can give a key to Alice and that enables her to create encrypted messages that nobody other than me can read. Including Alice, and whoever seizes Alice's computer. Usually this involves a per-session symmetric key and is called "perfect forward secrecy".

pjc50
  • 2,996
  • 12
  • 17
  • One way of simply bringing about perfect “forward security” is to include a new 80+ bit passphrase at the end of a sensitive email. Both parties destroy the old passphrase – i.e. physically destroy the piece of paper with it on which is kept nowhere near the computer. – Peter Dec 18 '14 at 10:56
  • .. which would mean that cracking the first message in the chain would give you all of them, and losing a message would be inconvenient. And it can't be automated so it will be very rarely used. – pjc50 Dec 18 '14 at 11:10
  • @Peter Do you have any idea how difficult it is to selectively [securely erase information from computer storage media](http://security.stackexchange.com/q/5749/2138) ([also this](http://security.stackexchange.com/q/36721/2138))? SSDs are worse than HDDs in this regard, but HDDs aren't necessarily trivial either, against a determined adversary. Note that *complete* erasure is easier, but still not necessarily trivial (an ATA Secure Erase command or equivalent followed by dropping the device into a bucket full of highly corrosive acid is likely to get you reasonably close). – user Dec 19 '14 at 08:52
  • @MichaelKjörling I’m an amateur at this, but the password is in handwriting on paper and only interacts with the computer when it is copied into a downloaded copy of the HTML JavaScript file (http://prgomez.com/ursa/) on the bowser, so encryption/decryption can be performed. I could go offline and boot Ubuntu from a CD, but that’s over the top? – Peter Dec 19 '14 at 09:21
  • You typed it into the computer, which is entitled to (but might or might not) write the page to its swap file. There are APIs for "do not swap this page", but they aren't available from Javascript. Also you're vulnerable to EM and acoustic snooping on the keyboard. As usual it's all about the threat model .. – pjc50 Dec 19 '14 at 10:14
0

If Alice sends a symmetrically encrypted message to Bob, and Bob leaks the key, now every message Bob sends to Alice can be eavesdropped by third parties.

If the key is asymmetric, your only hope is to snoop on Bob while he is still writing Alice's key pre-encryption. He could, of course, deliberately leak every plaintext he sends - but if he is not malicious, and only leaked Alice's key accidentally (or maybe it was stolen and he doesn't know), asymmetric nullifies the problem. Leaking private key is very bad. Leaking public key - who cares?

Because nobody cares that your public key is leaked, you might as well leak it yourself. If you leak it well enough, by broadcasting all over the net from public servers, you can even assume that everyone already has your key (or can get it). Now Alice's other problem is solved - how to get a key to Bob in the first place.

Superbest
  • 1,104
  • 8
  • 21