[VOIPSEC] ZRTP Security?
Dan Wing
dwing at fuggles.com
Tue Mar 14 02:37:24 CST 2006
Gupta, Sachin wrote:
> Hi,
>
> I went thru the ZRTP draft and i have doubts on how can this be used for
> doing a secure communication
>
> 1)How would one be able to send a FAX securely. Fax machine would not be
> able to read the string to verify the man-in-middle is not present.
The first call between those two fax machines would have to be between
humans. Subsequent calls between those fax machines on the same lines
would be encrypted. That isn't really an insurmountable barrier.
Several fax vendors include support for encrypted faxing as well.
> 2) How can i be sure that i am talking to the person, whom i intended
> to, if i am not familiar with the voice. What if i am calling some Bank
> regarding my accounts information. I have no idea that i am indeed
> talking to the person in bank only. The draft mentions that
> "it's only necessary that they detect that the voice used for the SAS
> procedure matches the voice in the rest of the phone call."
>
> How would this confirm the identity of the person i am talking to??
In that case you don't care about the identity of the person you're
talking to (Mary Sue), but rather the identity of the company they
represent (Bank of the World).
zRTP doesn't prohibit validating the key fingerprint out of band.
For example, your bank could provide you with the key fingerprint they
will use for communications. That could be supplied on your monthly
statement or with the information you received when you opened your bank
account.
-d
More information about the Voipsec
mailing list