Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. If they do it that way, silent circle is a single point of failure which can, and probably will, be co-opted by governments. If they don't do it that way, how do they do it. Obviously we need a hash chain that guarantees that Ann sees the same public key for Ann as Bob sees for Ann. Does silent circle do that? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/07/14 11:27, James A. Donald wrote: On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. For phone calls they use ZRTP, so Ann and Bob can verbally compare short authentication strings after the key exchange to detect a MITM, *if* they know each other's voices and their voices can't be faked. ZRTP carries keying material forward from one session to another so it isn't necessary to do this every time. For messaging it's the same, except the verbal confirmation happens out-of-band. The protocol spec seems to have been taken offline recently, but it's archived here: https://web.archive.org/web/20140125121552/https://silentcircle.com/static/download/SCIMP%20paper.pdf Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJTv8ORAAoJEBEET9GfxSfMZmoH/1ip9AmkhY+bVLtgpgYTOjrp SRSgFIzaeGocGnMyBz1cgcxOaDOSNOATc8IpbhSVvmJue1VD43VlCv6Fvdwe0pid nOBX/ZMY35hlil9Kte/STcDQDt6E3AYiaFlIXXVyU7y/35K2J6629fixPJc5yPVB rHy1ew0HqvQFWfiztYK/fxptuWu81UAh9HIL3A9j1/N0eX1EpaKBgUFWRTzD/4Id XSckanVjQ34JTJNuC0UbLXY7sz8ljSeFI3dGQQEFliODYNhy5eWn7JkL9oOj26AM KcSdAp85KF6f7rRE36QC5NroS9iiDWzgcXLOy/cHgmH3uODWOA70vy1GxjYbhxQ= =uakY -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 11/07/2014 11:27 am, James A. Donald wrote: On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. If they do it that way, silent circle is a single point of failure which can, and probably will, be co-opted by governments. If they don't do it that way, how do they do it. Obviously we need a hash chain that guarantees that Ann sees the same public key for Ann as Bob sees for Ann. Does silent circle do that? While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. If they haven't got an answer to that question, then I'd wonder if the product is a throwaway for real security purposes. (By throwaway, I mean the drug dealer's trick of using each phone/sim for one call, then dropping it in the river.) iang ps; John's point is well taken. We don't have a way to escape success being targetted. We don't have a way to pay for many small enclaves with their own tech. We're stuck in a rocky business. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 2014-07-11 20:59, Michael Rogers wrote: For phone calls they use ZRTP, so Ann and Bob can verbally compare short authentication strings after the key exchange to detect a MITM, *if* they know each other's voices and their voices can't be faked. ZRTP carries keying material forward from one session to another so it isn't necessary to do this every time. For messaging it's the same, except the verbal confirmation happens out-of-band. The protocol spec seems to have been taken offline recently, but it's archived here: https://web.archive.org/web/20140125121552/https://silentcircle.com/static/download/SCIMP%20paper.pdf If it takes more than one click, end users are not going to do it. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
ianG i...@iang.org writes: On 11/07/2014 11:27 am, James A. Donald wrote: On 2014-07-11 07:45, Kevin wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ With silent circle, when Ann talks to Bob, does Ann get Bob's public key from silent circle, and Bob get Ann's public key from silent circle. If they do it that way, silent circle is a single point of failure which can, and probably will, be co-opted by governments. If they don't do it that way, how do they do it. Obviously we need a hash chain that guarantees that Ann sees the same public key for Ann as Bob sees for Ann. Does silent circle do that? While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. Note there's a philosophical issue here. A very good actress could convince Bob that she's Ann no matter how high the bandwidth of their communication, such as intimate body contact. The only individual in the universe who is qualified to authoritatively deny the actress' claim is Ann. To convince Bob, she needs something the actress cannot have, such as the password to her encryption key. -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. Key: mailto:stealthsuite nym.mixmin.net?subject=send%20stealthmonger-key pgpO65XFNlHIm.pgp Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 07/11/2014 04:23 PM, StealthMonger wrote: While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. Note there's a philosophical issue here. A very good actress could convince Bob that she's Ann no matter how high the bandwidth of their communication, such as intimate body contact. Besides getting the timing of your MitM right, attacking ZRTP requires to mimic _both_ persons' voice. So you need (at best) more than one Eve that mimic Bob and Alice at the right time by speaking out some words displayed on the phones. I am leaving out all the details of Hash Commitments before ZRTP's DH etc, because they are not relevant here. There is a new somewhat related paper presented here on SOUPS about mimicing voice: https://www.usenix.org/system/files/conference/soups2014/soups14-paper-panjwani.pdf The next question here is how the implementation handles that verification. Does the implementation a) ask to cancel the call if something seems wrong or b) does it prevent you from proceeding by asking you is the spoken word equals the displayed and sounds the voice like Bob? yes/no. I don't know of any app that implements b), but I haven't tested SilentCircle's apps. I personally think that people will _not_ cancel the application without being explicitly ask to do so, even when the words do not sound like being said by your friend Bob. Conclusively, I think ZRTP is a nice approach, but thinking of your average Jonny: He will not cancel the conversation just because the voice sounds strange (only when the verification words were spoken, maybe the voice quality was just bad...) Regards Dominik signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Silent Circle Takes on Phones, Skype, Telecoms
https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography The problem is, this will never really hit the mainstream. When or if it does, I might feel better about it. I remain suspicious. -- Kevin ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
This is the comsec dilemma. If a product or system becomes mainstream it is more likely to be overtly and/or covertly compromised. If marginal it is likely to be used by few and consequently not well tested against overt and/or covert faults and compromise, may go out of of business, or aquired by I-Q-Tel compromisers and reconfigured for wildly popular use by those who care squat about really, really secure comsec. Still, this is a period when NSA-proof has decent value as a marketing campaign. When snake oil is not considered to be bad business after all. When promises abound to take back the Internet are flowering under bountiful manure of comsec reputation cultivators. When comsec standards committees are diligently cleaning out the stables of excess manure accumulated since comsec escaped from lifetime security of secrecy mokus, braying like asses this time comsec will be pure and honest, no shit. Damn kids don't understand openness is a disease to be medicated by exposure to working inside and outside the shithouse, lying about scuzzy comsec as a way of life. Otherwise accept working forever as a minimally funded volunteer with dignity and self-respect, praised for self-sacrifice, be whispered about as if an insane idealist who could never adjust to reality of stinking like a sewer, accumulating bespoken suits tailored of finest dookie as if Silk Road weave. Silent Circle is on its way, stand back, the odor is finest perfume. At 05:45 PM 7/10/2014, you wrote: On 7/10/2014 4:39 PM, John Young wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography The problem is, this will never really hit the mainstream. When or if it does, I might feel better about it. I remain suspicious. -- Kevin ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 10 July 2014 22:39:01 CEST, John Young j...@pipeline.com wrote: https://blog.silentcircle.com/why-are-we-competing-with-phone-makers-skype-and-telecom-carriers-all-in-the-same-week/ I think a lot of the stuff Silent Circle is doing looks great; but I think we need a real open OS (perhaps built on replicant?) for this to be truly useful. As far as I can tell no code for PrivatOS has been made available yet? Some discussion at lwn this February: http://lwn.net/Articles/581085/ As for encrypted calls to the pstn: I suppose this means the call is secure to the phone switch of the receiver (at best) and subject to ordinary wire-taps after that? So calling a source that is watched combines a false sense of security with an an (almost) traditional level of risk? More technical details would ne helpful. -eirik ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On Thu, Jul 10, 2014 at 4:45 PM, John Young j...@pipeline.com wrote: This is the comsec dilemma. If a product or system becomes mainstream it is more likely to be overtly and/or covertly compromised. This is why it's important the client is open source, the binaries are reproducible, and the encryption is end-to-end. Silent Circle is halfway there: most of the source code is available, but last I heard not all the pieces were there and people weren't able to build it (perhaps that changed?) Clearly OpenSSL is a great demonstration that many eyes don't make bug(door?)s shallow, but if the source is available, it's certainly something that can be used to build trust in a system. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On Thu, Jul 10, 2014 at 10:52 PM, Tony Arcieri basc...@gmail.com wrote: On Thu, Jul 10, 2014 at 4:45 PM, John Young j...@pipeline.com wrote: This is the comsec dilemma. If a product or system becomes mainstream it is more likely to be overtly and/or covertly compromised. I don't find this a dilemma - I don't use immature projects because they haven't had time prove themselves and get stress tested. I like the idea of LibreSSL but won't use it for at least 3 years (if it gains traction). Clearly OpenSSL is a great demonstration that many eyes don't make bug(door?)s shallow, but if the source is available, it's certainly something that can be used to build trust in a system. I don't think that's a good example at all. I think OpenSSL's issue is feature bloat without enough time for code audits. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
