[cryptography] The NSA and secure VoIP

Steven Bellovin smb at cs.columbia.edu
Fri Mar 2 09:48:36 EST 2012

On Mar 2, 2012, at 2:59 AM, Marsh Ray wrote:

> On 03/01/2012 09:31 PM, Jeffrey Walton wrote:
>> Interesting. I seem to recall that cascading ciphers is frowned upon
>> on sci.crypt. I wonder if this is mis-information....
> Not mis-information. You could easily end up enabling a meet-in-the-middle attack just like double DES.
> https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

Meet-in-the-middle attacks don't weaken things; they merely don't give you as much advantage as one might suppose.  Note, though, that you need 2^n storage.  This is Suite B/Top Secret, which means 256-bit AES, which means that you would need 2^260 bytes of storage.  That's too much, even for NSA, so those attacks aren't even relevant.

Where NSA has a strong edge over most civilian crypto folks is that they understand that they're dealing with a *system* -- not just a cipher, but key exchange, key storage, timing attacks and other side channels, buggy implementations, very fallible (or corrupt[ed]) people, etc.  Maybe SRTP is weak in a way they haven't found.  Maybe IPsec is.  They've looked at both and don't think so, but they can't rule it out.  But if you combine both *and* you do it in a way you think actually buys you something, you've protected yourself against a lot of those failures.  Both would have to fail, and in a compatible way, for there to be a weakness.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list