[VOIPSEC] ZRTP Security?

Philip Zimmermann prz at mit.edu
Tue Mar 14 11:35:40 CST 2006 

We make no attempt whatsoever to confirm the identity of the person.   
Frankly, we don't care.  What if my daughter answers my house phone?   
Should we sound the klaxon horn?  What if she is expecting a call  
from her boyfriend, and *I* answer?  Sometimes the wrong person is in  
fact the right person.  This is not important for making a secure call.

Regarding your assertion that a man in the middle attack was not  
possible in the POTS world, I disagree.  The reason why we don't  
worry about a man in the middle attack in the POTS world is because  
it is not needed to perform a wiretap.  But a wiretapper could choose  
to be an active wiretapper if he chose to.  He simply doesn't need to  
in order to carry out a passive wiretap.

-prz

On Mar 14, 2006, at 9:06 AM, Gupta, Sachin wrote:

>
>
> -----Original Message-----
> From: Jon Callas [mailto:jon at pgpeng.com]
> Sent: Tuesday, March 14, 2006 11:43 AM
> To: Gupta, Sachin
> Cc: Voipsec at voipsa.org; Phil Zimmermann
> Subject: Re: [VOIPSEC] ZRTP Security?
>
>
> On 13 Mar 2006, at 4:11 PM, Gupta, Sachin wrote:
>
>> Hi,
>>
>> I went thru the ZRTP draft and i have doubts on how can this be used
>> for doing a secure communication
>>
>> 1)How would one be able to send a FAX securely. Fax machine would not
>> be able to read the string to verify the man-in-middle is not  
>> present.
>
> There are a couple ways this can be handled.
>
> One is that the system that's doing ZRTP could read off the string  
> with
> a synthesized voice. That's trivial.
>
> The other is that you ignore it.
>
> One of the advantages of the chained shared secret is that the device
> itself knows that it's talking to the same device it was talking to  
> last
> time. So if I have a series of calls with you, any man-in-the- middle
> has to start in the beginning, and cannot undetectably disengage from
> the process.
>
> The cool thing about this is that it increases the burden on the
> attacker. The attacker must decide to attack before you and I ever  
> talk.
> Also, the attacker can never disengage without being detected.
>
> The spoken code it in many ways icing on the cake.
>
>> 2) How can i be sure that i am talking to the person, whom i intended
>> to, if i am not familiar with the voice. What if i am calling some
>> Bank regarding my accounts information. I have no idea that i am
>> indeed talking to the person in bank only. The draft mentions that
>> "it's only necessary that they detect that the  voice used for the  
>> SAS
>
>> procedure matches the voice in the rest of the  phone call."
>>
>> How would this confirm the identity of the person i am talking to??
>>
>
> There is nothing that prohibits me, when you call Dan Wing, to take  
> the
> phone out of his hand and read off the verification string. Even  
> today,
> I can take the phone out of Dan's hand and say, "This is Dan."
> You detect me doing this with zFone, the same way you detect me  
> doing it
> on POTS.
>
> [Sachin] : In POTS, I am not sure if there is a way that a man-in- 
> middle
> attack like this can happen. My question is more to do towards the  
> fact
> that I am atleast connected to the phone which I am supposed to. The
> example you mentioned "take the phone out of Dan's hand " is something
> which will never be solved by internet security. This needs physical
> security for Dan's house.
>
> The fact that if the man-in-middle was not present in the first  
> call, he
> will never be able to get in future is good. Even if there are less
> chances for the adversary to be present in the first call, it is still
> possible. May be some other key-exchange(like MIKEY/TLS) combined with
> ZRTP would solve the purpose.
>
>
> 	Jon
>
> --
> Jon Callas
> CTO, CSO
> PGP Corporation         Tel: +1 (650) 319-9016
> 3460 West Bayshore      Fax: +1 (650) 319-9001
> Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
> USA                          28b6 52bf 5a46 bc98 e63d
> 	
>
>

----------------------------------------------
Philip R Zimmermann        prz at mit.edu
http://philzimmermann.com  tel +1 650 322-7223
(spelled with 2 n's)       fax +1 650 322-7877

More information about the Voipsec mailing list