[Cryptography] NSA security guidelines for videoconferencing

Phillip Hallam-Baker phill at hallambaker.com
Sun May 3 01:46:24 EDT 2020 

On Sat, May 2, 2020 at 7:33 AM Whitfield Diffie <whitfield.diffie at gmail.com>
wrote:

> > The problem with 'end to end' encryption is that it isn't the same as
> end to end
> > security and the developers may have a different definition of what an
> 'end' is.
>
>     The problem is with the term `end-to-end encryption.'  All
> encryption is from one end of something to another.  Link encryption
> is from one end of a link to the other.  Perhaps the term we need here
> is ``user-to-user encryption.''
>
>                            Whit
>

Zoom have released more details of their protocol which I looked at in the
video. Will try to do a write up as well at some point. But this is one of
those 'among the problems' situations.

Zoom have a lot of problems but most of them are relatively easy to fix
given money and the will to do so. Some are not. The reason Zoom is so easy
to use is in part the almost complete lack of authentication. They just
give you a meeting id and a 'password' which might as well just be part of
the meeting ID given the way it is handled.

I don't think user-to-user encryption is the term we need because that is
what a lot of the video conferencing systems have AES running from one user
to the other. But they don't have user to user security because the key
exchange is happening in a cloud service they control completely (people
using ECB mode probably aren't using threshold techniques).

That is one reason I think we need to go to 'security' rather than just
'encryption'.

For certain applications, we do need to recognize ends other than users. If
Alice is talking to Bob the Broker, the conversation is with an
organization, not just Bob the person. So the endpoints are Alice and the
Brokerage.

But random datacenters run by cloud service providers should never be an
endpoint.

One of the really odd things about the Zoom situation is they seem to have
a thing about wanting to stamp out zoom sex parties using AI to detect
images breaking their 'terms of service'. Suggests a failure to understand
their role.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200503/3bca2cf3/attachment.htm>

More information about the cryptography mailing list