Talk:ZRTP
From Wikipedia, the free encyclopedia
[edit] Guarantee of no MITM is too strong
The article says
If the values on both ends match, it is guaranteed that there is no man-in-middle.
I think that's too strong a statement. For example:
- Alice calls Bob, but unbeknownst to either of them, Mallory is the man in the middle
- Mallory negotiates separate ZRTP sessions with both Alice and Bob
- Mallory algorithmically impairs the quality of the voice channels so that it is difficult to distinguish his voice from anyone else's
- Alice reads her SAS to Mallory, and Mallory reads his SAS to Alice
- Bob reads his SAS to Mallory, and Mallory reads his SAS to Bob
- Mallory connects the audio of the two ZRTP sessions together (with the quality impairment)
- Once Alice and Bob are satisifed with the SAS' they've received, they start their conversation.
- The quality impairment can be blamed on a poor internet connection and the use of a low-rate CODEC.
If Mallory has samples of Alice's and Bob's speech ahead of time, rather than voice quality impairment, he can use more sophisticated software to modify his voice to sound similar to Alice's or Bob's. This is much more difficult but not impossible. --Brouhaha 19:43, 17 June 2006 (UTC)
The statement has been modified to remove the guarantee (Zimmermann never used the word guarantee). However, I think an attack that involves voice imitation incurs a high risk of detection, and thus is adequately deterred. The attacker cannot predict or control exactly how Alice and Bob will conduct the SAS comparison. -PRZ
I think it's not as easy to attack this as you think. Here is something from my FAQ page:
Q: Is the Short Authentication String (SAS) vulnerable to an attacker with voice impersonation capabilities?
A: In practical terms, no. It is a mistake to think this is simply an exercise in voice impersonation (perhaps this could be called the "Rich Little" attack). Although there are digital signal processing techniques for changing a person's voice, that does not mean a man-in-the-middle attacker can safely break into a phone conversation and inject his own short authentication string (SAS) at just the right moment. He doesn't know exactly when or in what manner the users will choose to read aloud the SAS, or in what context they will bring it up or say it, or even which of the two speakers will say it, or if indeed they both will say it. In addition, some methods of rendering the SAS involve using a list of words such as the PGP word list, in a manner analogous to how pilots use the NATO phonetic alphabet to convey information. This can make it even more complicated for the attacker, because these words can be worked into the conversation in unpredictable ways. Remember that the attacker places a very high value on not being detected, and if he screws up, he doesn't get to do it over. prz 09:27, 16 February 2007 (UTC)
- The deeper issue here is that the whole authentication mechanism seems to depend not on a known hard problem, but instead on voice impersonation being hard.--Teemuk 07:54, 25 May 2007 (UTC)
