Another major advantage of public-key systems is that they can provide
a method for digital signatures. Authentication via secret-key systems
requires the sharing of some secret and sometimes requires trust of a
third party as well. A sender can then repudiate a previously signed
message by claiming that the shared secret was somehow compromised by
one of the parties sharing the secret. For example, the Kerberos
secret-key authentication system involves a central database that keeps
copies of the secret keys of all users; a Kerberos-authenticated
message would most likely not be held legally binding, since an attack
on the database would allow widespread forgery. Public-key
authentication, on the other hand, prevents this type of repudiation;
each user has sole responsibility for protecting his or her private
key. This property of public-key authentication is often called
non-repudiation.

Furthermore, digitally signed messages can be proved authentic to a
third party, such as a judge, thus allowing such messages to be legally
binding. Secret-key authentication systems such as Kerberos were
designed to authenticate access to network resources, rather than to
authenticate documents, a task which is better achieved via digital
signatures.

A disadvantage of using public-key cryptography for encryption is
speed: there are popular secret-key encryption methods which are
significantly faster than any currently available public-key encryption
method. But public-key cryptography can share the burden with
secret-key cryptography to get the best of both worlds.

For encryption, the best solution is to combine public- and secret-key
systems in order to get both the security advantages of public-key systems
and the speed advantages of secret-key systems. The public-key system can
be used to encrypt a secret key which is then used to encrypt the bulk of a
file or message. This is explained in more detail in Question
3.2.12 in the case of RSA. Public-key cryptography is not meant
to replace secret-key cryptography, but rather to supplement it, to make it
more secure. The first use of public-key techniques was for secure key
exchange in an otherwise secret-key system; this is still one of its
primary functions.

Secret-key cryptography remains extremely important and is the subject of much ongoing study and research. Some secret-key encryption systems are discussed in Questions 3.5.1 and 3.5.5.