[VOIPSEC] ZRTP Security?

Saverio Niccolini Saverio.Niccolini at netlab.nec.de
Tue Mar 14 04:09:38 CST 2006 

Hi all,

we have invited Phil to give a talk at the IEEE workshop on VoIP
Management and Security:
http://www.noms2006.org/content/workshop.html#voip
He will give the talk remotely by videoconference on ZRTP (depending on
the availability of the 
internet connection at the conference location).

The keynote will be given by Cullen Jennings on security standardisation
at the IETF
(this is confirmed now).
This information is not yet on the web page but we are going to update
it soon.

Jonathan Zar is also going to be there as a panelist.

Cheers,
Saverio 

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Dan Wing
> Sent: Tuesday, March 14, 2006 9:37 AM
> To: Gupta, Sachin
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] ZRTP Security?
> 
> Gupta, Sachin wrote:
> > Hi,
> >  
> > I went thru the ZRTP draft and i have doubts on how can 
> this be used for
> > doing a secure communication
> >  
> > 1)How would one be able to send a FAX securely. Fax machine 
> would not be
> > able to read the string to verify the man-in-middle is not present.
> 
> The first call between those two fax machines would have to 
> be between 
> humans.  Subsequent calls between those fax machines on the 
> same lines 
> would be encrypted.  That isn't really an insurmountable barrier.
> 
> Several fax vendors include support for encrypted faxing as well.
> 
> > 2) How can i be sure that i am talking to the person, whom 
> i intended
> > to, if i am not familiar with the voice. What if i am 
> calling some Bank
> > regarding my accounts information. I have no idea that i am indeed
> > talking to the person in bank only. The draft mentions that 
> > "it's only necessary that they detect that the  voice used 
> for the SAS
> > procedure matches the voice in the rest of the  phone call."
> >  
> > How would this confirm the identity of the person i am talking to??
> 
> In that case you don't care about the identity of the person you're 
> talking to (Mary Sue), but rather the identity of the company they 
> represent (Bank of the World).
> 
> zRTP doesn't prohibit validating the key fingerprint out of band.
> 
> For example, your bank could provide you with the key 
> fingerprint they 
> will use for communications.  That could be supplied on your monthly 
> statement or with the information you received when you 
> opened your bank 
> account.
> 
> -d
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list