[jitsi-dev] thoughts on ZRTP?


#1

"TIL that NSA developed in late 2006 a voice analysis and synthesis system to defeat SAS authentication in ZRTP.“

says frederic jacobs: https://twitter.com/FredericJacobs/status/488261492564049920


#2

Interesting. I highly doubt that statement, even if it was actually made in
an NSA report, but if people are worried about something like that, then
the human factor part allows them to work around such attacks quite nicely.

For example, rather than pronouncing the four letters you can come up with
an alternative reference for each one: the number in the alphabet, the
preceding letters in the alphabet; movie stars whose names beging or end
with these letters, names of common friends etc, etc.

--sent from my mobile

···

On 14 Jul 2014 7:01 AM, "Foss" <foss@openmailbox.org> wrote:

"TIL that NSA developed in late 2006 a voice analysis and synthesis system
to defeat SAS authentication in ZRTP.“

says frederic jacobs:
https://twitter.com/FredericJacobs/status/488261492564049920

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

IMHO it would be fairly hard to a voice synthesis and at the sime time
follow the context of the conversations and to responds in the correct
way.

As Emil pointed out one may "splice" in the SAS code into the conversation,
or do something like this (assuming the SAS code is 'nk5t'):

"I see an 'n' on first and a '5' characters on third positinon,
what about you?" and the other partner responds with the missing 2 characters.

Just by "randomizing" the sequence someone reads the characters is enough
to make that attack to fail. A lot of other options are available :slight_smile: .

Werner

···

Am 14.07.2014 08:36, schrieb Emil Ivov:

Interesting. I highly doubt that statement, even if it was actually
made in an NSA report, but if people are worried about something like
that, then the human factor part allows them to work around such
attacks quite nicely.

For example, rather than pronouncing the four letters you can come up
with an alternative reference for each one: the number in the
alphabet, the preceding letters in the alphabet; movie stars whose
names beging or end with these letters, names of common friends etc,
etc.

--sent from my mobile

On 14 Jul 2014 7:01 AM, "Foss" <foss@openmailbox.org <mailto:foss@openmailbox.org>> wrote:

    "TIL that NSA developed in late 2006 a voice analysis and synthesis system to defeat SAS authentication in ZRTP.“

    says frederic jacobs:� https://twitter.com/FredericJacobs/status/488261492564049920

    _______________________________________________
    dev mailing list
    dev@jitsi.org <mailto:dev@jitsi.org>
    Unsubscribe instructions and other list options:
    http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
Werner Dittmann
email: Werner.Dittmann@t-online.de
cell: +49 173 44 37 659
PGP key: 82EF5E8B