[cryptography] The NSA and secure VoIP
maillists at krassi.biz
Sat Mar 3 17:33:48 EST 2012
The way I read it is something much simpler than attacking the
encryption - it seams to be about operational procedures security.
Think if somebody mis-configures something on the first layer you
still have the second layer. Now if you add two separate teams
managing each layer then you have a good chance they will not do the
same mistake. Or if I have to be a bit more cold war - if keying
material managed in one of the layers leaks out then the other layer
So two teams, to operation procedure sets and two sets of keys
(oversimplifying here) and an attacker has to be able to infiltrate
On Fri, Mar 2, 2012 at 6:48 AM, Steven Bellovin <smb at cs.columbia.edu> wrote:
> On Mar 2, 2012, at 2:59 AM, Marsh Ray wrote:
>> On 03/01/2012 09:31 PM, Jeffrey Walton wrote:
>>> Interesting. I seem to recall that cascading ciphers is frowned upon
>>> on sci.crypt. I wonder if this is mis-information....
>> Not mis-information. You could easily end up enabling a meet-in-the-middle attack just like double DES.
> Meet-in-the-middle attacks don't weaken things; they merely don't give you as much advantage as one might suppose. Note, though, that you need 2^n storage. This is Suite B/Top Secret, which means 256-bit AES, which means that you would need 2^260 bytes of storage. That's too much, even for NSA, so those attacks aren't even relevant.
> Where NSA has a strong edge over most civilian crypto folks is that they understand that they're dealing with a *system* -- not just a cipher, but key exchange, key storage, timing attacks and other side channels, buggy implementations, very fallible (or corrupt[ed]) people, etc. Maybe SRTP is weak in a way they haven't found. Maybe IPsec is. They've looked at both and don't think so, but they can't rule it out. But if you combine both *and* you do it in a way you think actually buys you something, you've protected yourself against a lot of those failures. Both would have to fail, and in a compatible way, for there to be a weakness.
> --Steve Bellovin, https://www.cs.columbia.edu/~smb
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography