

From 0 to cryptography - mariuz
http://techblog.rosedu.org/from-0-to-cryptography.html

======
zobzu
Note that unlike what TFA claims, symmetric keys are safe. They're, in fact,
SAFER than public key crypto for the SAME key size, as public key crypto
depends on prime numbers. That's why you'd see 256bit symmetric keys, and
2048bit or more public/secret keys.

It's just that the key exchange for symmetric keys is inherently unsafe
online. But if you share the keys in a safe manner (ie, physically, secret
location, no camera, etc.), its all good.

A long time ago, well, not so long in fact, before public key cryptography was
invented, symmetric crypto was used by businesses. They had people carrying
those keys and delivering them. That was a pain.

it also worked that way for a couple of thousand years, with weaker
algorithms, but the same concept.

~~~
xyzzyz
_It's just that the key exchange for symmetric keys is inherently unsafe
online._

I don't understand what you mean. There are plenty of ways to exchange
symmetric keys online, for instance by Diffie-Hellman scheme, or even using
public key cryptography. I even recall that SSL/TLS uses symmetric key for
encryption and asymmetric crypto is used only for key exchange.

~~~
pi18n
Diffie-Hellman is fine if there is no one between you and Alice, otherwise if
you read the protocol you will see it is easy for Eve to do the protocol with
both ends and just act as a conduit for messages after reading/altering them.

SSL/TLS relies on trusting a number of certificate authorities to verify that,
yes, the other end is Bob. Note that for this to work securely you must
_already_ have their public key info. There are problems with this also but
it's the best we have got right now.

~~~
yason
There's the interlock protocol that ensures that you'll only be talking with
one other party instead of one other and one in the middle but still you don't
know who you're talking to.

But it's impossible to identify someone out of nowhere. Even in physical life
we need external information of a person or an organization we don't know to
identify him.

So, we will always need some leads with which to cross-check the other party's
identity. And given that, there are plenty of protocols to exchange symmetric
keys securely.

~~~
pi18n
But that's exactly the problem, that there is no way to securely verify over
an insecure connection that the keys you've associated with A are actually A's
keys.

~~~
yason
That's really a non-problem since how could you _ever_ know?

The only way to verify that A's keys are legit is to use a secure channel
first. Then you can leverage that over any number of insecure channels later
to reconnect with A.

------
spaghetti
This fun puzzle illustrates some of the ideas: Bob wants to send Alice
something valuable in the mail. Unfortunately the postal system is very
corrupt and very efficient. Any package containing a valuable item will always
be spotted by postal workers. If the package doesn't have a lock the postal
workers will steal the item. Also postal workers will always spot any key sent
through the mail and hold it indefinitely. So even if a locked box is sent
through and Alice receives it she will never receive the key when it comes
through hence she can't obtain the package contents. How can Bob successfully
deliver a valuable item to Alice?

Answer: Bob puts the item in a box with a lock and sends to Alice. Alice
receives the box, places her lock on it and sends it back to Bob. Bob removes
his lock and sends the box back to Alice. Now Alice removes her lock and
obtains the package contents.

~~~
jethroalias97
What you have described is more or less Diffie-Hellman. Unfortunately this
alone wont guarantee your package's safe passage. If it did Verisign, would be
out of a job.

The flaw is, you can basically just have the same scenario but replace Alice
with the post office:

Bob puts the item in a box with a lock and sends to Alice. Post office
intercepts the box, places their lock on it and sends it back to Bob. Bob
removes his lock and sends the box back to Alice. Now the post office removes
their lock and obtains the package contents.

The only way around this is to have some truly trusted third party. Even in
RSA, if you aren't absolutely certain of the other user's public key, it won't
work, which is why web-of-trust and other techniques are used.

------
Mithrandir
Don't mean to be a shill for Coursera, but if you enjoyed this article you
might like Coursera's crypto class: <https://www.coursera.org/course/crypto> I
found it really challenging in some places, but also quite fun.

Udacity also has a crypto course:
[http://www.udacity.com/overview/Course/cs387/CourseRev/apr20...](http://www.udacity.com/overview/Course/cs387/CourseRev/apr2012)
I haven't tried it yet, but it looks a bit more in-depth in some places than
the Coursera course.

------
parley
If you read this and intend to make security design decisions based on it (as
opposed to reading it just for fun), please read more about the subject from
other sources as well. A few statements in it are a bit contradictory, like
claiming DH is safe from MITM while at the same time in other words
acknowledging e.g. that identity cannot be proven with it. I don't mean to
bash the author as primers are a good way to get people interested in stuff,
but small oversights can sometimes cause big problems.

~~~
mindslight
And before you tackle those other sources, make sure to go on a week-long
bender. This will hopefully kill enough brain cells that you might stand a
chance of forgetting most of this post's mischaracterizations.

I can condone running through the math behind various primitives, to wet
someone's whistle and give them a bit of an appreciation. To someone
unfamiliar with the concept of one-way functions, seeing a run through of
Diffie-Hellman is pretty neat. "What do you mean I can't figure out the
secret, the numbers are right here in front of me..."

But one of the major things that makes crypto so damn hard is that the devil
is in the details, and this article misleads much more than it informs. Linear
analogies like paint-mixing and XOR (!?) are anti-enlightening to the feat
that DH actually accomplishes. Never mind the blatantly incorrect summaries of
the properties of each primitive, which were clearly driven more by the
limited understanding of the author than any kind of real-world usage.

------
tptacek
If you thought this link was useful, I'd be interested in knowing why.

~~~
experiment0
I'm interested in knowing why your post implies that its not useful. I would
like to know if its worth reading as I've just added it to Read It Later.

EDIT: Please correct me if you didn't mean to come across that way, it's just
the last comment on the blog:

> this post is just terrible. i don't understand why people feel the need to
> learn a tiny bit about a subject, and regurgitate their misunderstandings
> through blogging. please take it down, you are making the world a worse
> place.

has made me wary.

~~~
tptacek
I'm asking seriously, not just to make a point.

~~~
randartie
Not sure what your problem is with the article, it's a basic intro article.
Clearly the people that find it useful are the people who do not know the
material and don't need to deal with this on a regular basis.

~~~
tptacek
So I'm curious what you do with a basic understanding of, say, the RSA math.

~~~
psykotic
What do you do with a basic understanding of limited-slip differentials,
frequency modulation, the Maillard reaction, or any other number of subjects?
If you're anything like me, what you do is take joy in understanding a little
more about how stuff works, however superficially. And who knows when some
grain of knowledge could be a useful inspiration in some seemingly unrelated
area where you do have expertise? That happens more often than one might
think, especially with mathematics.

I get that you worry some well-meaning fool will read this and go implement
their own botched RSA-based or DH-based cryptosystem. That concern is
legitimate. By all means, post the customary warnings.

~~~
caf
Right - I think it's part of the mindset of the hacker to assign intrinsic
value to a basic understanding of how things work. From the Krebs Cycle to the
lifecycle of a star, it's all interesting.

------
ceautery
I found that to be a pretty nice writeup, a little more accessible for the
curious layman than a pair of blog entries I wrote on RSA
([http://cautery.blogspot.com/2012/06/rsa-encryption-and-
other...](http://cautery.blogspot.com/2012/06/rsa-encryption-and-other-sun-
tzu.html)) and Elgamal ([http://cautery.blogspot.com/2012/07/encryption-
part-2-elgama...](http://cautery.blogspot.com/2012/07/encryption-
part-2-elgamal-and-discrete.html))

Encryption topics were the big wake-up call for me regarding not relying on
Wikipedia for math/tech info. When I started the above blog posts, I dug
around for background info from a variety of sources until I got my head
around the math, and found Wikipedia's entries on encryption topics to be
basically unfixable without doing a large enough rewrite to guarantee an
immediate revert.

Anyway, I wish this rosedu post had come a few months earlier; it would have
saved me quite a wild goose chase.

------
de1978st
Great Link, thank you.

------
vinitool76
Site down?

~~~
idupree
[http://rosedu.github.com/techblog/from-0-to-
cryptography.htm...](http://rosedu.github.com/techblog/from-0-to-
cryptography.html) , perhaps!

~~~
poipoipoi
<http://techblog.rosedu.org/from-0-to-cryptography.html>

