[cryptography] The NSA and secure VoIP

ianG iang at iang.org
Fri Mar 2 09:40:02 EST 2012

On 2/03/12 14:31 PM, Jeffrey Walton wrote:
> On Thu, Mar 1, 2012 at 10:27 PM, Steven Bellovin<smb at cs.columbia.edu>  wrote:
>> http://www.scmagazine.com.au/News/292189,nsa-builds-android-phone-for-top-secret-calls.aspx
>> makes for interesting reading.  I was particularly intrigued by this:
>>         Voice calls are encrypted twice in accordance with NSA policy,
>>         using IPSEC and SRTP, meaning a failure requires “two independent
>>         bad things to happen,” Salter said.
>> Margaret Salter is the head of the Information Assurance Directorate
>> of the NSA.
> Interesting. I seem to recall that cascading ciphers is frowned upon
> on sci.crypt. I wonder if this is mis-information....

As always, it depends.

If you take two ciphers and combine them together, hoping that it 
creates a stronger cipher, this is not recommended.  Crypto doesn't work 
that way :)  If you think about it, two different cryptographers already 
tried to do their best -- why do you think you can better them by some 
amateur kludge?   Also, two ciphers can interact in ways that are harder 
for you to predict, and the result can be somewhere between mildly 
similar to mildly worse.  So the recommendation is, don't do something 
you don't fully understand [1].

However what NSA is recommending above is not cascading ciphers but 
layered systems.  In this context, the two ciphers are so far apart in 
layered spaces that they are very likely not to interact.  They can be 
treated independently.

Why layered systems?  The way I put it is this way [2]: close your eyes 
and tell me whether your firewall is switched on?  How about your VPN 
(IPSec above)?  Or, is TLS really covering your threat model?

Which (insert some handwaving here) leads to the conclusion that 
security below the application is unreliable - to the application, and 
ultimately to the user.  As an application designer, specifying IPSec is 
like saying you will be bullet-proof if you wear body armour.  Well, 
what about the times you don't?

NSA take this viewpoint from an opposite pole and say - look at this 
application.  It promises hard-core crypto.  It spits out nonsense, it 
seems to work.  How do we know?  Well... we could probably figure it 
out, but it is probably easier to coat our entire network with low-layer 
security, so we aren't totally reliant on those dodgy Skype crypto-weenies.

This is simply engineering.  Do the job at the lower layer, and re-do 
the job at the higher layer.  Resiliance from failures.

Nothing to do with crypto, gets you zero marks in class.  But as an 
software or systems engineer, it's obvious, a no-brainer.


[1] there is one way I've come across to combine two strong ciphers in a 
strong way.  It is a variation of counter mode.  Take each cipher, and 
generate a PRNG, or a stream, e.g., by counter mode.  Then exor the 
result of each cipher with the plaintext.


More information about the cryptography mailing list