[VOIPSEC] zFone

[Alexander Philipp Lintenhofer]

Thank you for your answer, Brian.
DH-Negotiation with additional voice recognition/key verification preventing
replay or man-in-the-middle attacks is a really good idea. In my opinion even
more secure than PSTN-communication in circuit switched networks.

regards,
Philipp

Quoting Brian Kim <bmhkim at gmail.com>:

> On 9/12/05, Alexander Ph. Lintenhofer <lintenhofer at aon.at> wrote:
>> I just read about Phil Zimmermanns new invention zFone and would like to
>> ask you about your opinion. What do you think about the
>> authentication/identification scheme without a PKI?
>
> I had the good fortune to be able to attend his briefing at Black Hat
> and get a first hand look at Zimmerman's demo. I must say that it
> looks like it has reasonably strong security, if for no other reason,
> because of the nature of the media being transmitted. I'm not sure how
> much you've read about it, but my understanding is that the phone uses
> Diffie-Hellman key exchange to agree on cipher keys, then expects its
> users to voice verify keys.
>
> Ultimately, the security of this system relies on the difficulty of
> successfully accomplishing a man-in-the-middle attack (or breaking the
> AES encryption algorithm). This can range from a more trivial audio
> substitution of the key during voice verification (which will likely
> be subject to just plain sounding different during key verification)
> to having a person (or more than one person) sit in the middle and
> speak the two parts. Of course, the latter strategy would almost
> certainly introduce errors as well as additional delay, which will
> likely push it into the realm of unacceptability.
>
> I think it's a good solution which is adequate for typical privacy
> needs. However, all Zimmerman has managed to do is find a niche in
> which PKI probably isn't necessary in the general case.
>
> Brian
>
> (of course, this is all my opinion and strictly my opinion --
> especially not that of my employer(s), the government, god or my cat)
>
>