mduffy at sonusnet.com
Thu Sep 15 23:08:11 BST 2005
Aside from the fact that zFone apparently does the key negotiation in
the media plane rather than the signaling plane (which is a thing for
another interesting discussion), it seems to me that it is not too
different than using MIKEY with D-H and self-signed certs. After
setting up the voice connection use it verify a hash of the D-H value or
the respective public keys.
With caching of the remote party's cert you would only have to make that
leap of faith on the first occasion. This strategy has been very
successful for ssh. The difficulty of a successful mitm attack on a
voice call with human-human verification should be higher than for ssh
where there is not such a verification.
Of course neither zFone nor MIKE with self-signed certs protects you
against having your entire session with an imposter.
> Thank you for your answer, Brian.
> DH-Negotiation with additional voice recognition/key
> verification preventing replay or man-in-the-middle attacks
> is a really good idea. In my opinion even more secure than
> PSTN-communication in circuit switched networks.
> Quoting Brian Kim <bmhkim at gmail.com>:
> > On 9/12/05, Alexander Ph. Lintenhofer <lintenhofer at aon.at> wrote:
> >> I just read about Phil Zimmermanns new invention zFone and
> would like
> >> to ask you about your opinion. What do you think about the
> >> authentication/identification scheme without a PKI?
> > I had the good fortune to be able to attend his briefing at
> Black Hat
> > and get a first hand look at Zimmerman's demo. I must say that it
> > looks like it has reasonably strong security, if for no
> other reason,
> > because of the nature of the media being transmitted. I'm
> not sure how
> > much you've read about it, but my understanding is that the
> phone uses
> > Diffie-Hellman key exchange to agree on cipher keys, then
> expects its
> > users to voice verify keys.
> > Ultimately, the security of this system relies on the difficulty of
> > successfully accomplishing a man-in-the-middle attack (or
> breaking the
> > AES encryption algorithm). This can range from a more trivial audio
> > substitution of the key during voice verification (which
> will likely
> > be subject to just plain sounding different during key
> > to having a person (or more than one person) sit in the middle and
> > speak the two parts. Of course, the latter strategy would almost
> > certainly introduce errors as well as additional delay, which will
> > likely push it into the realm of unacceptability.
> > I think it's a good solution which is adequate for typical privacy
> > needs. However, all Zimmerman has managed to do is find a niche in
> > which PKI probably isn't necessary in the general case.
> > Brian
> > (of course, this is all my opinion and strictly my opinion --
> > especially not that of my employer(s), the government, god
> or my cat)
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec