[VOIPSEC] ZRTP Security?
Dan Wing
dwing at fuggles.com
Tue Mar 14 09:31:57 CST 2006
Gupta, Sachin wrote:
> [Sachin] : This will be used for the my verification. I am concerned
> about the case where I call someone(whom I do not know before) and there
> is some adversary who pretentds that he that man(whom I intended to
> call). Since my SDP signaling went in clear, this is possible.
> In this case the voice for confirmation will match the voice in rest of
> the conversation as well.
Here is a real-life analogy to the attack you're describing:
If you didn't know the person before, and you agreed to meet at a
certain location at a certain time, you would have a similar
identification problem in real life. An adversary could have bonked
your contact on the head and you might be meeting the adversary.
This is an introduction problem. PKIs were invented as a way to
solve it. PGP (as used in email, for example) was invented as a
way to solve it.
zRTP doesn't prohibit you verifying someone's fingerprint via
an external system such as, for example, a PGP web of trust.
-d
More information about the Voipsec
mailing list