Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZFONE  Philip Zimmermann’s new secure VOIP application  Interoperates with SIP signaling  Communication with AES by SRTP  Successor of PGPfone  Does.

Published byAusten White Modified over 9 years ago

Similar presentations

Presentation on theme: "ZFONE  Philip Zimmermann’s new secure VOIP application  Interoperates with SIP signaling  Communication with AES by SRTP  Successor of PGPfone  Does."— Presentation transcript:

1 ZFONE  Philip Zimmermann’s new secure VOIP application  Interoperates with SIP signaling  Communication with AES by SRTP  Successor of PGPfone  Does not rely on a PKI  Authentication by ZRTP

2 ZRTP AliceBob Hello(A’s Zid, Hash, Enc, SAS….) Commit(B’s Zid, HVI, ….) DH1(pvr, Hash(secret), ….) DH2(pvi, Hash(secret), ….) --------SRTP with AES begins-------- SAS(spoken Hash(Master Key))

3 SRTP Secure Real Time Transport Protocol  Goals Confidentiality Message Authentication/Integrity Replay Protection  Key Refresh / Master Key Expiration  Entire Packet is MACed  Payload is encrypted

4 ZFONE  Secrecy between 2 parties  Forward Secrecy  Authentication (untraditional) No PKI  Replay protection  Parties can distinguish voices

5 ZFONE Acknowledged Protocol Properties  Resourceful adversary can pose as anyone  Adversary can force a re-SAS  Privacy ZID’s are public  DOS

6 Hash Commitment  Hash collision attack on authentication  Small SAS read aloud  Attacker needs only to find collision on first 4 bytes of hash(master key)  Attacker cannot deterministically influence hash(Master Key)

7 Shared Secrets  Parties perform SAS once Cache shared secret s1  Master Secret – s0 Based on DH exchange and shared secret Becomes s1 (s1 -> s2, etc…)  Initiator sends HMAC(s1, “Initiator”)  Responder sends HMAC(s1, “Responder”)

8 ZRTP Modeled Really Really Ridiculously Good Looking AliceBob Hello(A’s Zid) Confirm(B’s Zid) DH1(pvr, hash) DH2(pvi, hash) --------SRTP with AES begins-------- SAS(voice, SecretKey, sas) Conv(voice, SecretKey, text)

9 Attack Tensor  Attacker can simulate Initiator's voice  Attacker can simulate Responder's voice  Attacker can convert voice to his own in real time  Initiator knows Responder's voice in advance  Responder knows Initiator's voice in advance  Initiator remembers voice from one session to the next  Responder remembers voice from one session to the next

10 Results of Murphi Modeling  61 parameter assignments yielded attacks  After reduction, 5 independent attacks found! SAS Voice Forgery Attack Bill Clinton Attack 6 Month Attack Court Reporter Attack Hybrid Clinton-Court Reporter Attack

11 Alice MitM + 3 Bob Convert to attacker voice Court Reporter Attack Hello Confirm DH1(A) DH1(Ma) DH2(B) DH2(Mb) SAS(A, Mb) SAS(Mb, A) SAS(Ma, B) SAS(B, Ma) Confirm

12 Six Month Attack A and B don’t remember voices between sessions AliceBob Poses as B MitM Poses as A A and B have Shared Secret A and B have Shared Secret Attacker records and relays voice False shared secret causes SAS to be skipped

13 Bill Clinton Attack MitM can imitate the president’s voice Bill doesn’t know Alice’s voice Alice Bill (Clinton) MitM Intruder poses as Alice M and B have Shared Secret MitM imitates Bill Clinton’s voice for SAS Attacker records and relays voice Bill forgets voice of “A”

14 Solution: The Chrono-Gambit  Interpolate Hash(Master Key) between 0 and N seconds N is negotiated in Hello and HashCommit  Conversation must start ~N seconds from first message exchange  Probabilistically foils every attack Idea: Hard to interleave conversations starting at different times!

15 Conclusion  In normal use cases, ZFone is secure  In abnormal, but reasonable cases, ZFone can be attacked To mount attacks, adversary needs to be powerful and resourceful  Questions?

Download ppt "ZFONE  Philip Zimmermann’s new secure VOIP application  Interoperates with SIP signaling  Communication with AES by SRTP  Successor of PGPfone  Does."

Similar presentations

Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Impacts of Security Protocols on Real- time Multimedia Communications Kihun Hong 1, Souhwan Jung 1, Luigi Lo Iacono 2, Christoph.

Impacts of Security Protocols on Real- time Multimedia Communications Kihun Hong 1, Souhwan Jung 1, Luigi Lo Iacono 2, Christoph.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Similar presentations

Ads by Google