alan.johnston at mci.com
Fri Sep 23 02:20:00 BST 2005
Phil's Zfone protocol provides excellent confidentiality for the media
session. By itself, it does not provide authentication. We are looking
at how it can utilize a shared secret from the signaling layer (perhaps
generated using a D-H exchange as you suggest) and then mix this in with
the D-H in the signaling to provide the ultimate in confidentiality and
authentication of the media session.
At VON this week, Phil spoke and did another demo and we also had
excellent discussions about the protocol. Phil also committed to
bringing the protocol to the IETF where I'm sure it will generate a lot
of interest and excitement.
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Duffy, Mark
> Sent: Thursday, September 22, 2005 10:03 AM
> To: Jon Callas; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] zFone
> Hi Jon, and thanks for the info.
> I have a question on your statement below -- If one uses D-H
> authenticated by self-signed certs, and caches the cert (or
> the public key, or a hash of the public key) of parties that
> have been previously talked to, won't that provide the same
> "forward secrecy" you describe below?
> In fact, this would let Alice verify that she is talking with
> the same Bob as last time, even if Bob didn't retain any
> information about Alice. It's not completely clear how the
> zFone uses the saved hash of the D-H key but the suggestion I
> saw in one press report was that it is fed back into the hash
> of the next key generation. I suspect that would not work
> for either party if one of the parties has discarded their saved hash.
> Also, self-signed certs would appear to have an advantage in
> that where and when PKI's are available, there would be a
> direct migration path to using CA-signed certs. I suppose a
> downside might be the computational cost for the public key
> -- Thanks, Mark
> P.S. In case it isn't obvious, I am not supposing to suggest
> how zFone should be done. Just exploring the issues for the
> wider community.
> > The other major thing that I think is nice about this system
> > is that by using a chain of hashes of the retained shared
> > secrets, you get forward secrecy (which you do not with
> > self-signed certificates) while having an authorization
> > chain. You know that the device you're talking to is the same
> > device that you were talking to in previous calls. If there
> > is some sort of man in the middle, that attack is still present.
> > I'm happy to answer other questions about the zFone protocols.
> > Jon
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voi> psa.org
More information about the Voipsec