[cryptography] The NSA and secure VoIP
smb at cs.columbia.edu
Fri Mar 2 09:48:36 EST 2012
On Mar 2, 2012, at 2:59 AM, Marsh Ray wrote:
> On 03/01/2012 09:31 PM, Jeffrey Walton wrote:
>> Interesting. I seem to recall that cascading ciphers is frowned upon
>> on sci.crypt. I wonder if this is mis-information....
> Not mis-information. You could easily end up enabling a meet-in-the-middle attack just like double DES.
Meet-in-the-middle attacks don't weaken things; they merely don't give you as much advantage as one might suppose. Note, though, that you need 2^n storage. This is Suite B/Top Secret, which means 256-bit AES, which means that you would need 2^260 bytes of storage. That's too much, even for NSA, so those attacks aren't even relevant.
Where NSA has a strong edge over most civilian crypto folks is that they understand that they're dealing with a *system* -- not just a cipher, but key exchange, key storage, timing attacks and other side channels, buggy implementations, very fallible (or corrupt[ed]) people, etc. Maybe SRTP is weak in a way they haven't found. Maybe IPsec is. They've looked at both and don't think so, but they can't rule it out. But if you combine both *and* you do it in a way you think actually buys you something, you've protected yourself against a lot of those failures. Both would have to fail, and in a compatible way, for there to be a weakness.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography