[VOIPSEC] ZRTP Security?

Jon Callas jon at pgpeng.com
Tue Mar 14 10:42:55 CST 2006 

On 13 Mar 2006, at 4:11 PM, Gupta, Sachin wrote:

> Hi,
>
> I went thru the ZRTP draft and i have doubts on how can this be  
> used for
> doing a secure communication
>
> 1)How would one be able to send a FAX securely. Fax machine would  
> not be
> able to read the string to verify the man-in-middle is not present.

There are a couple ways this can be handled.

One is that the system that's doing ZRTP could read off the string  
with a synthesized voice. That's trivial.

The other is that you ignore it.

One of the advantages of the chained shared secret is that the device  
itself knows that it's talking to the same device it was talking to  
last time. So if I have a series of calls with you, any man-in-the- 
middle has to start in the beginning, and cannot undetectably  
disengage from the process.

The cool thing about this is that it increases the burden on the  
attacker. The attacker must decide to attack before you and I ever  
talk. Also, the attacker can never disengage without being detected.

The spoken code it in many ways icing on the cake.

> 2) How can i be sure that i am talking to the person, whom i intended
> to, if i am not familiar with the voice. What if i am calling some  
> Bank
> regarding my accounts information. I have no idea that i am indeed
> talking to the person in bank only. The draft mentions that
> "it's only necessary that they detect that the  voice used for the SAS
> procedure matches the voice in the rest of the  phone call."
>
> How would this confirm the identity of the person i am talking to??
>

There is nothing that prohibits me, when you call Dan Wing, to take  
the phone out of his hand and read off the verification string. Even  
today, I can take the phone out of Dan's hand and say, "This is Dan."  
You detect me doing this with zFone, the same way you detect me doing  
it on POTS.

	Jon

-- 
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d

More information about the Voipsec mailing list