zfone zrtp
play

ZFONE ZRTP Philip Zimmermanns new secure VOIP Hello(As Zid, Hash, - PDF document

ZFONE ZRTP Philip Zimmermanns new secure VOIP Hello(As Zid, Hash, Enc, SAS.) application Interoperates with SIP signaling Commit(Bs Zid, HVI, .) Communication with AES by SRTP DH1(pvr, Hash(secret), .)


  1. ZFONE ZRTP � Philip Zimmermann’s new secure VOIP Hello(A’s Zid, Hash, Enc, SAS….) application � Interoperates with SIP signaling Commit(B’s Zid, HVI, ….) � Communication with AES by SRTP DH1(pvr, Hash(secret), ….) � Successor of PGPfone Alice Bob DH2(pvi, Hash(secret), ….) � Does not rely on a PKI --------SRTP with AES begins-------- � Authentication by ZRTP SAS(spoken Hash(Master Key)) SAS(spoken Hash(Master Key)) SRTP ZFONE Secure Real Time Transport Protocol � Goals � Secrecy between 2 parties � Forward Secrecy � Confidentiality � Message Authentication/Integrity � Authentication (untraditional) � Replay Protection � No PKI � Key Refresh / Master Key Expiration � Replay protection � Entire Packet is MACed � Parties can distinguish voices � Payload is encrypted ZFONE Hash Commitment Acknowledged Protocol Properties � Resourceful adversary can pose as anyone � Hash collision attack on authentication � Adversary can force a re-SAS � Small SAS read aloud � Privacy � Attacker needs only to find collision on first 4 bytes of hash(master key) � ZID’s are public � Attacker cannot deterministically influence � DOS hash(Master Key) 1

  2. ZRTP Modeled Shared Secrets Really Really Ridiculously Good Looking Hello(A’s Zid) � Parties perform SAS once Confirm(B’s Zid) � Cache shared secret s1 DH1(pvr, hash) � Master Secret – s0 DH2(pvi, hash) � Based on DH exchange and shared secret --------SRTP with AES begins-------- Alice Bob � Becomes s1 (s1 -> s2, etc…) SAS(voice, SecretKey, sas) � Initiator sends HMAC(s1, “Initiator”) SAS(voice, SecretKey, sas) � Responder sends HMAC(s1, “Responder”) Conv(voice, SecretKey, text) Conv(voice,SecretKey, text) Attack Tensor Results of Murphi Modeling � Attacker can simulate Initiator's voice � 61 parameter assignments yielded attacks � Attacker can simulate Responder's voice � After reduction, 5 independent attacks found! � Attacker can convert voice to his own in real time � Initiator knows Responder's voice in advance � SAS Voice Forgery Attack � Responder knows Initiator's voice in advance � Bill Clinton Attack � Initiator remembers voice from one session to the � 6 Month Attack next � Court Reporter Attack � Responder remembers voice from one session to the next � Hybrid Clinton-Court Reporter Attack Six Month Attack Court Reporter Attack A and B don’t remember voices between sessions Hello Confirm Confirm Poses as B Poses as A A and B have DH1(A) A and B have DH1(Ma) Shared Secret Shared Secret MitM DH2(B) DH2(Mb) MitM Alice Bob Alice Bob False shared secret causes + SAS(A, Mb) SAS to be skipped SAS(Ma, B) 3 SAS(B, Ma) SAS(Mb, A) Attacker records and Convert to attacker voice relays voice 2

  3. Bill Clinton Attack Solution: The Chrono-Gambit MitM can imitate the president’s voice Bill doesn’t know Alice’s voice Intruder poses as Alice � Interpolate Hash(Master Key) between 0 and M and B have Shared Secret N seconds � N is negotiated in Hello and HashCommit � Conversation must start ~N seconds from MitM Bill forgets voice of “A” first message exchange Bill Alice (Clinton) � Probabilistically foils every attack MitM imitates Bill Clinton’s voice for SAS � Idea: Hard to interleave conversations starting at Attacker records and relays voice different times! Conclusion � In normal use cases, ZFone is secure � In abnormal, but reasonable cases, ZFone can be attacked � To mount attacks, adversary needs to be powerful and resourceful � Questions? 3

More recommend