ZFONE ZRTP � Philip Zimmermann’s new secure VOIP Hello(A’s Zid, Hash, Enc, SAS….) application � Interoperates with SIP signaling Commit(B’s Zid, HVI, ….) � Communication with AES by SRTP DH1(pvr, Hash(secret), ….) � Successor of PGPfone Alice Bob DH2(pvi, Hash(secret), ….) � Does not rely on a PKI --------SRTP with AES begins-------- � Authentication by ZRTP SAS(spoken Hash(Master Key)) SAS(spoken Hash(Master Key)) SRTP ZFONE Secure Real Time Transport Protocol � Goals � Secrecy between 2 parties � Forward Secrecy � Confidentiality � Message Authentication/Integrity � Authentication (untraditional) � Replay Protection � No PKI � Key Refresh / Master Key Expiration � Replay protection � Entire Packet is MACed � Parties can distinguish voices � Payload is encrypted ZFONE Hash Commitment Acknowledged Protocol Properties � Resourceful adversary can pose as anyone � Hash collision attack on authentication � Adversary can force a re-SAS � Small SAS read aloud � Privacy � Attacker needs only to find collision on first 4 bytes of hash(master key) � ZID’s are public � Attacker cannot deterministically influence � DOS hash(Master Key) 1
ZRTP Modeled Shared Secrets Really Really Ridiculously Good Looking Hello(A’s Zid) � Parties perform SAS once Confirm(B’s Zid) � Cache shared secret s1 DH1(pvr, hash) � Master Secret – s0 DH2(pvi, hash) � Based on DH exchange and shared secret --------SRTP with AES begins-------- Alice Bob � Becomes s1 (s1 -> s2, etc…) SAS(voice, SecretKey, sas) � Initiator sends HMAC(s1, “Initiator”) SAS(voice, SecretKey, sas) � Responder sends HMAC(s1, “Responder”) Conv(voice, SecretKey, text) Conv(voice,SecretKey, text) Attack Tensor Results of Murphi Modeling � Attacker can simulate Initiator's voice � 61 parameter assignments yielded attacks � Attacker can simulate Responder's voice � After reduction, 5 independent attacks found! � Attacker can convert voice to his own in real time � Initiator knows Responder's voice in advance � SAS Voice Forgery Attack � Responder knows Initiator's voice in advance � Bill Clinton Attack � Initiator remembers voice from one session to the � 6 Month Attack next � Court Reporter Attack � Responder remembers voice from one session to the next � Hybrid Clinton-Court Reporter Attack Six Month Attack Court Reporter Attack A and B don’t remember voices between sessions Hello Confirm Confirm Poses as B Poses as A A and B have DH1(A) A and B have DH1(Ma) Shared Secret Shared Secret MitM DH2(B) DH2(Mb) MitM Alice Bob Alice Bob False shared secret causes + SAS(A, Mb) SAS to be skipped SAS(Ma, B) 3 SAS(B, Ma) SAS(Mb, A) Attacker records and Convert to attacker voice relays voice 2
Bill Clinton Attack Solution: The Chrono-Gambit MitM can imitate the president’s voice Bill doesn’t know Alice’s voice Intruder poses as Alice � Interpolate Hash(Master Key) between 0 and M and B have Shared Secret N seconds � N is negotiated in Hello and HashCommit � Conversation must start ~N seconds from MitM Bill forgets voice of “A” first message exchange Bill Alice (Clinton) � Probabilistically foils every attack MitM imitates Bill Clinton’s voice for SAS � Idea: Hard to interleave conversations starting at Attacker records and relays voice different times! Conclusion � In normal use cases, ZFone is secure � In abnormal, but reasonable cases, ZFone can be attacked � To mount attacks, adversary needs to be powerful and resourceful � Questions? 3
More recommend
