[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ZRTP, Key Continuity, and bump in the stack

To: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: ZRTP, Key Continuity, and bump in the stack
From: Randell Jesup <rjesup@xxxxxxxxx>
Date: Sun, 18 Mar 2007 13:17:43 -0400
Cc: ietf-rtpsec@xxxxxxx
In-reply-to: <20070318150727.013121CC22@xxxxxxxxxxxxxx> (ekr@xxxxxxxxxxxxxxxxxxxx's message of "Sun, 18 Mar 2007 08:07:26 -0700")
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <20070318150727.013121CC22@xxxxxxxxxxxxxx>
Reply-to: Randell Jesup <rjesup@xxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

EKR <ekr@xxxxxxxxxxxxxxxxxxxx> writes:
>> There is one easy way - if the ZRTP bump-in-wire app notifies the user when
>> a ZID is new, then the first time Bob calls Alice in the above scenario, he
>> won't get the expected "new contact" notification.
>
>But this won't protect Bob and Alice after their initial 
>communication. The attacker can mount this attack at will
>afterward... And since the point is to attack the connection
>between two people who mean to talk to each other, it's
>reasonably likely they've done so in the past...

That's a good point; without realizing it I was assuming a linkage
between the address and the ZID (again).

Your point means that the attack can be initiated against people who have
talked to each other before - just do a call to each, than at will
tap individual calls.  Unless they read off the SAS (or ZID) on EVERY call,
they don't know if they're being tapped.  

Correct me if I'm wrong (I'm not a crypto/security expert, I just implement
phones including SRTP), but doesn't this pretty much destroy the whole
advantage of ZRTP's key-chaining?  (For bump-in-wire mode, when signalling
access doesn't exist.)  Key chaining still offers utility when combined
with some way to correlate that against whom/what you're calling, and
probably when receiving calls (I'd need to think more about that, but I
suspect it's ok).  Or you'll need to get the user to manually add info to
stored ZIDs with the putatative identity of the other party, or at least
confirm an identity transferred in the ZRTP exchange, and show it again
on every call (not just ones where SAS is done).

Hmmm.

>> I'll leave as a exercise for others how well that will work in practice
>> with non-protocol-aware users.  My suspicion is that most users won't
>> take any notice, or in many cases assume they (or someone on the same
>> device) had called Alice.
>
>I agree with that assessment.

-- 
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup@xxxxxxxxx
"The fetters imposed on liberty at home have ever been forged out of the weapons
provided for defence against real, pretended, or imaginary dangers from abroad."
		- James Madison, 4th US president (1751-1836)

Follow-Ups:
- Re: ZRTP, Key Continuity, and bump in the stack
  - From: Werner Dittmann

References:
- Re: ZRTP, Key Continuity, and bump in the stack
  - From: EKR

Prev by Date: Re: ZRTP, Key Continuity, and bump in the stack
Next by Date: Re: ZRTP, Key Continuity, and bump in the stack
Previous by thread: Re: ZRTP, Key Continuity, and bump in the stack
Next by thread: Re: ZRTP, Key Continuity, and bump in the stack
Index(es):
- Date
- Thread