On 2/03/12 14:31 PM, Jeffrey Walton wrote:
On Thu, Mar 1, 2012 at 10:27 PM, Steven Bellovin<[email protected]> wrote:
http://www.scmagazine.com.au/News/292189,nsa-builds-android-phone-for-top-secret-calls.aspx
makes for interesting reading. I was particularly intrigued by this:
Voice calls are encrypted twice in accordance with NSA policy,
using IPSEC and SRTP, meaning a failure requires “two independent
bad things to happen,” Salter said.
Margaret Salter is the head of the Information Assurance Directorate
of the NSA.
Interesting. I seem to recall that cascading ciphers is frowned upon
on sci.crypt. I wonder if this is mis-information....
As always, it depends.
If you take two ciphers and combine them together, hoping that it
creates a stronger cipher, this is not recommended. Crypto doesn't work
that way :) If you think about it, two different cryptographers already
tried to do their best -- why do you think you can better them by some
amateur kludge? Also, two ciphers can interact in ways that are harder
for you to predict, and the result can be somewhere between mildly
similar to mildly worse. So the recommendation is, don't do something
you don't fully understand [1].
However what NSA is recommending above is not cascading ciphers but
layered systems. In this context, the two ciphers are so far apart in
layered spaces that they are very likely not to interact. They can be
treated independently.
Why layered systems? The way I put it is this way [2]: close your eyes
and tell me whether your firewall is switched on? How about your VPN
(IPSec above)? Or, is TLS really covering your threat model?
Which (insert some handwaving here) leads to the conclusion that
security below the application is unreliable - to the application, and
ultimately to the user. As an application designer, specifying IPSec is
like saying you will be bullet-proof if you wear body armour. Well,
what about the times you don't?
NSA take this viewpoint from an opposite pole and say - look at this
application. It promises hard-core crypto. It spits out nonsense, it
seems to work. How do we know? Well... we could probably figure it
out, but it is probably easier to coat our entire network with low-layer
security, so we aren't totally reliant on those dodgy Skype crypto-weenies.
This is simply engineering. Do the job at the lower layer, and re-do
the job at the higher layer. Resiliance from failures.
Nothing to do with crypto, gets you zero marks in class. But as an
software or systems engineer, it's obvious, a no-brainer.
iang
[1] there is one way I've come across to combine two strong ciphers in a
strong way. It is a variation of counter mode. Take each cipher, and
generate a PRNG, or a stream, e.g., by counter mode. Then exor the
result of each cipher with the plaintext.
http://iang.org/ssl/h5_security_begins_at_the_application_and_ends_at_the_mind.html
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
