Encryption is not sufficient

If you wish to provide a high level of personal integrity and privacy, encryption alone is not sufficient.

C. V. Wright, L. Ballard, S. E. Coull, F. Monrose, and G. M. Masson, “Uncovering spoken phrases in encrypted voice over IP conversations,” ACM Transactions on Information and System Security, vol. 13, pp. 35:1 – 35:30, Dec. 2010.
L. Khan, M. Baig, and A. M. Youssef, “Speaker recognition from encrypted VoIP communications,” Digital Investigation, vol. 7, pp. 65–73, Oct. 2010.

Vasily Prokopov, Eavesdropping on encrypted VoIP conversations: phrase spotting attack and defense approaches”, 1st place, 5 May 2012 at Kaspersky Lab IT Security for the Next Generation - European Cup 2012

http://vasilyprokopov.com/publications_files/Eavesdropping_on_encrypted_VoIP_conversations.pdf Links to an external site., http://www.kaspersky.com/images/european_cup_2012_march5_Vasily%20Prokopov.pdf Links to an external site. , and (formerly) http://web.ict.kth.se/~chyrkov/conference_kaspersky_2012.pdf

Transcript

[slide416] But it turns out encryption's not enough. The fact that you encrypt your voice communication doesn't mean that someone can't tell what you were saying. And if you're using CODECs that use compression and variable length encoding, it turns out that if you can guess which language it is, you can probably build a model that will tell you how to reverse the pattern of the lengths of the packets and their spacing to yes, know the plain text that the people were speaking. So Vasily Prokopov did a very interesting paper in this course a number of years ago, and he subsequently won first place in the European Kasparsky's lab [European Cup] for showing a method to prevent that. Because what do you have to do? You have to make sure that all of your packets look the same, no matter what the CODEC did when it processed it, and to make sure that there's no observable pattern in the traffic pattern that would reveal what the plain text was.