[VOIPSEC] CALEA Enforcement

Hank Cohen hcohen at hifn.com
Fri May 5 16:25:22 CDT 2006 

I certainly agree that endnodes cannot be trusted to cooperate in CALEA
intercepts.  It is also certain that the Department of Justice will not
allow VoIP providers to avoid their responsibilities as telephony
carriers under CALEA.  And anyone who thinks (as I have heard people who
should know better say) that they can simply provide the cyphertext and
let the NSA break them will find themselves sadly mistaken.  AES-256 is
not vulnerable to NSA attack although many of the systems using it may
be.

There are proposals to use key escrow to enable CALEA interception of
encrytped calls but this might also require the cooperation of the end
terminal.  For example the end terminal might just use the escrowed key
to encrypt a key exchange that generates another session key unknown to
the escrow agent.

There will also always be clever programmers like Phil Zimmerman who
will write end to end encryption schemes.  Code in the wild is
notoriously impossible to bring under control.  The DoJ will not be able
to stop that but they will be able to prevent any service provider or
equipment OEM from offering such inaccessible systems.  I would be very
interested to hear if anyone has received a cease and desist letter from
the DoJ yet.  I don't expect anyone who has gotten one to be interested
in talking about it though.

My suspicion is that media encryption will not be end to end for any
commercial service or carrier device.  Media security will probably end
up restricted to some vulnerable segment of the call; for example a
cable TV last mile coax or PON network where the media is in essence
shared, or over an untrusted 3rd party network, or between a client and
a 3rd party application service provider like Vonage.  
Media encryption could also be offered by a service provider from access
node to access node or to a peering connection.   Even if encryption is
not end to end it can help to provide more secure reliable service.  

Hank Cohen
Hifn


> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Gupta, Sachin
> Sent: Friday, May 05, 2006 1:34 PM
> To: voipsec at voipsa.org
> Subject: [VOIPSEC] CALEA Enforcement
> 
> I came across an article which mentions the enforcement of 
> CALEA . Would
> this mean no end-to-end security ?
> How would any kind of legal intercept be possible if there is 
> end-to-end
> security ? 
>  
> http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-265221A1.pdf
>  
> Sachin
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
>

More information about the Voipsec mailing list