[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure voice software issues




Phil Karn says:
> >To me at least this seems unimportant for the application.  If all you're
> >doing is exchanging session keys over the phone, it doesn't really matter if
> >you are sure that the public key actually belongs to who it claims it does,
> 
> Well...yes. *If* you know the person you are talking to, then you can
> read off your session key (or preferably its hash) to guard against the
> man in the middle. But let's say you are being referred to someone who
> you don't already know (or you know them only by email, and have no idea
> what they sound like). You trust this person, but you can't depend on
> an oral challenge-response. The existing PGP web should be handy here.

I think that we are too casual about this -- Rich Little or someone
similar could easily impersonate your voice over a vocoder well enough
that unless I decided to do a "so, tell me about what we had for lunch
last week" routine you couldn't tell the difference. I think that even
if you DO know the other person verification is valuable -- especially
given the distortionary effects of vocoders.

Perry