[VOIPSEC] ZRTP Security?

Gupta, Sachin s-gupta2 at ti.com
Tue Mar 14 12:06:31 CST 2006 

Thanks All for your responses,
I am clarifying my doubts here. I think I am unable to present my doubt
properly. Let me make another attempt here.

Suppose I want to cal Phone number X. I do not care whosoever family
member, where X is installed, picks up the phone. But I want to make
sure that I am connected to Phone X and not another phone Y. Since my
SDP is going in clear-test anybody can look at the IP address and get
connected to me. This kind of attack is less likely in POTS as the
attacker will have difficulty in changing his phone number or he needs
to do modifications in the telephone gateways(for either case he needs
to have some contact with Tel companies).


Sachin 

-----Original Message-----
From: Philip Zimmermann [mailto:prz at mit.edu] 
Sent: Tuesday, March 14, 2006 12:36 PM
To: Gupta, Sachin
Cc: Jon Callas; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] ZRTP Security?

We make no attempt whatsoever to confirm the identity of the person.   
Frankly, we don't care.  What if my daughter answers my house phone?   
Should we sound the klaxon horn?  What if she is expecting a call from
her boyfriend, and *I* answer?  Sometimes the wrong person is in fact
the right person.  This is not important for making a secure call.

Regarding your assertion that a man in the middle attack was not
possible in the POTS world, I disagree.  The reason why we don't worry
about a man in the middle attack in the POTS world is because it is not
needed to perform a wiretap.  But a wiretapper could choose to be an
active wiretapper if he chose to.  He simply doesn't need to in order to
carry out a passive wiretap.

-prz

On Mar 14, 2006, at 9:06 AM, Gupta, Sachin wrote:

>
>
> -----Original Message-----
> From: Jon Callas [mailto:jon at pgpeng.com]
> Sent: Tuesday, March 14, 2006 11:43 AM
> To: Gupta, Sachin
> Cc: Voipsec at voipsa.org; Phil Zimmermann
> Subject: Re: [VOIPSEC] ZRTP Security?
>
>
> On 13 Mar 2006, at 4:11 PM, Gupta, Sachin wrote:
>
>> Hi,
>>
>> I went thru the ZRTP draft and i have doubts on how can this be used 
>> for doing a secure communication
>>
>> 1)How would one be able to send a FAX securely. Fax machine would not

>> be able to read the string to verify the man-in-middle is not 
>> present.
>
> There are a couple ways this can be handled.
>
> One is that the system that's doing ZRTP could read off the string 
> with a synthesized voice. That's trivial.
>
> The other is that you ignore it.
>
> One of the advantages of the chained shared secret is that the device 
> itself knows that it's talking to the same device it was talking to 
> last time. So if I have a series of calls with you, any man-in-the- 
> middle has to start in the beginning, and cannot undetectably 
> disengage from the process.
>
> The cool thing about this is that it increases the burden on the 
> attacker. The attacker must decide to attack before you and I ever 
> talk.
> Also, the attacker can never disengage without being detected.
>
> The spoken code it in many ways icing on the cake.
>
>> 2) How can i be sure that i am talking to the person, whom i intended

>> to, if i am not familiar with the voice. What if i am calling some 
>> Bank regarding my accounts information. I have no idea that i am 
>> indeed talking to the person in bank only. The draft mentions that 
>> "it's only necessary that they detect that the  voice used for the 
>> SAS
>
>> procedure matches the voice in the rest of the  phone call."
>>
>> How would this confirm the identity of the person i am talking to??
>>
>
> There is nothing that prohibits me, when you call Dan Wing, to take 
> the phone out of his hand and read off the verification string. Even 
> today, I can take the phone out of Dan's hand and say, "This is Dan."
> You detect me doing this with zFone, the same way you detect me doing 
> it on POTS.
>
> [Sachin] : In POTS, I am not sure if there is a way that a man-in- 
> middle attack like this can happen. My question is more to do towards 
> the fact that I am atleast connected to the phone which I am supposed 
> to. The example you mentioned "take the phone out of Dan's hand " is 
> something which will never be solved by internet security. This needs 
> physical security for Dan's house.
>
> The fact that if the man-in-middle was not present in the first call, 
> he will never be able to get in future is good. Even if there are less

> chances for the adversary to be present in the first call, it is still

> possible. May be some other key-exchange(like MIKEY/TLS) combined with

> ZRTP would solve the purpose.
>
>
> 	Jon
>
> --
> Jon Callas
> CTO, CSO
> PGP Corporation         Tel: +1 (650) 319-9016
> 3460 West Bayshore      Fax: +1 (650) 319-9001
> Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
> USA                          28b6 52bf 5a46 bc98 e63d
> 	
>
>

----------------------------------------------
Philip R Zimmermann        prz at mit.edu
http://philzimmermann.com  tel +1 650 322-7223
(spelled with 2 n's)       fax +1 650 322-7877

More information about the Voipsec mailing list