Re: Zfone and ZRTP :: encryption for voip protocols
Damien Miller wrote: On Wed, 15 Mar 2006, Ed Gerck wrote: [snip] ...allows the detection of man-in-the-middle (MiTM) attacks by displaying a short authentication string for the users to read and compare over the phone. Depends on the trust model. May not work. This is incomplete. The paragraph goes on to say: we still get fairly decent authentication against a MiTM attack, based on a form of key continuity. It does this by caching some key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. Here's a quote from the draft - We use an analogous baby duck security model to authenticate the DH exchange in ZRTP. We don't need to exchange persistent public keys, we can simply cache a shared secret and re-use it to authenticate a long series of DH exchanges for secure phone calls over a long period of time. If we read aloud just one SAS, and then cache a shared secret for later calls to use for authentication, no new voice authentication rituals need to be executed. We just have to remember we did one already. The draft says that shared secrets are keyed by ZID when stored in a local cache, where ZID is a unique persistent random ZRTP endpoint ID. Unless I am missing something, ZIDs exchanged by peers during a handshake remain unauthenticated. This means that if both A and B have cached shared secrets with M, then M can mount MitM attack against A-B session and both A and B will be under the impression that they are protected by 'key continuity' from their previous (A-B) session. Their SAS won't match of course, but since they see shared secret being used for KE, they are not likely to bother with SAS check. Alex - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: MD5 collisions in one minute
On 3/17/06, Weger, B.M.M. de [EMAIL PROTECTED] wrote: You might be interested in knowing that my MSc student Marc Stevens has found a considerable speedup of MD5 collision generation. His improvements of Wang's method enables one to make MD5 collisions typically in one minute on a PC; sometimes it takes a few minutes, and sometimes only a few seconds. His paper (shortly to appear on the Cryptology ePrint Archive) can be found on http://www.win.tue.nl/hashclash/, where we've also made his software available (source code and a Win32 executable). Thanks for interesting info! btw, do you aware of another MD5 Collisions generating software (requiring ~45 minutes per collision) available at http://www.stachliu.com/collisions.html I did not find any references to it in Marc's website/paper. Max - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Zfone and ZRTP :: encryption for voip protocols
That's not what I described. An attacker uses his own ZID and valid shared secrets that he creates with A and B on some prior occassion. In other words - * M talks to A as himself. This creates cached AM secret. * M talks to B as himself. This creates cached BM secret. * M intercepts A-B handshake and completes each 'leg' of the handshake using his own ZID and above secrets. Since responder's ZID in not a part of a hash in Commit, this key exchange will complete just fine. I don't see the draft talking about how/if ZIDs might be linked to non-ZRTP peer's identities, so I can't see how A or B can actually discover that they've been MitM'd by M *unless* they do SAS check. They do however see that KE used cached shared secret, and they (being humans) are likely to skip SAS check because of that. Alex Philip Zimmermann wrote: An attacker can easily present the wrong ZID, but he will not possess the cached shared secrtes held by the real owner of that ZID. The user interface will tell the user that there are no shared secrets, which means he must reverify the SAS. Thus, his attack will fail. On Mar 17, 2006, at 4:21 PM, Alex Pankratov wrote: Damien Miller wrote: On Wed, 15 Mar 2006, Ed Gerck wrote: [snip] ...allows the detection of man-in-the-middle (MiTM) attacks by displaying a short authentication string for the users to read and compare over the phone. Depends on the trust model. May not work. This is incomplete. The paragraph goes on to say: we still get fairly decent authentication against a MiTM attack, based on a form of key continuity. It does this by caching some key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. Here's a quote from the draft - We use an analogous baby duck security model to authenticate the DH exchange in ZRTP. We don't need to exchange persistent public keys, we can simply cache a shared secret and re-use it to authenticate a long series of DH exchanges for secure phone calls over a long period of time. If we read aloud just one SAS, and then cache a shared secret for later calls to use for authentication, no new voice authentication rituals need to be executed. We just have to remember we did one already. The draft says that shared secrets are keyed by ZID when stored in a local cache, where ZID is a unique persistent random ZRTP endpoint ID. Unless I am missing something, ZIDs exchanged by peers during a handshake remain unauthenticated. This means that if both A and B have cached shared secrets with M, then M can mount MitM attack against A-B session and both A and B will be under the impression that they are protected by 'key continuity' from their previous (A-B) session. Their SAS won't match of course, but since they see shared secret being used for KE, they are not likely to bother with SAS check. Alex -- Philip R Zimmermann[EMAIL PROTECTED] http://philzimmermann.com tel +1 650 322-7223 (spelled with 2 n's) fax +1 650 322-7877 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Tunnels in Hash Functions: MD5 Collisions in 40 seconds
Congratulations to Marc Stevens, who described a method for fast collision attack on MD5! Just now (! it is a collision !) I have finished the translation of my paper Vlastimil Klima: Tunnels in Hash Functions: MD5 Collisions Within a Minute. It is based on a new method, tunneling. Using it on MD5 it gives a collision in 40 seconds on a 3 GHz Pentium 4. (Actually I used two times slower notebook with the time about 80 seconds.) I expect the publication on eprint also, but I will put in on my web together with the source code of the program in one or two hours. It is http://cryptography.hyperlink.cz/MD5_collisions.html Vlastimil Klima http://cryptography.hyperlink.cz/ -- Od: Weger, B.M.M. de [EMAIL PROTECTED] Komu: cryptography@metzdowd.com Predmet: MD5 collisions in one minute Datum: 17.3.2006 - 19:37:20 Hi all, You might be interested in knowing that my MSc student Marc Stevens has found a considerable speedup of MD5 collision generation. His improvements of Wang's method enables one to make MD5 collisions typically in one minute on a PC; sometimes it takes a few minutes, and sometimes only a few seconds. His paper (shortly to appear on the Cryptology ePrint Archive) can be found on http://www.win.tue.nl/hashclash/, where we've also made his software available (source code and a Win32 executable). Grtz, Benne de Weger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]