[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Active Eavesdropping of Clipper
Mike Ingle quotes Matt Blaze (and I paraphrase):
>[...] so the procedure for placing a secure call is to recognize
>each other's voice in the clear mode, go secure, and read the hash
>value to each other [...] you have to rely on prior knowledge of each
>other's voice. [...]
This is out of band WRT the encryption engine. Note that it can be used
exactly like an asymmetric encryption key for authentication. You know the
other persons signature/voice in advance and it is hard for an attacker to
reproduce it.
>[an attacker could] trick you into saying some numbers, digitally record
>them, and then rearrange them and play them back.
The 'replay' attack. Of course you always make the other person say the
hash _and_ some (never reused?) data in a lump (re: my earlier post --
concatenate your challenge data with their a^x before signing) for
instance: "Bob, please sing me the hash to the tune of 'Raindrops Keep
Fallin' on My Head'" (Security can be fun).
>Or introduce enough line noise so the person couldn't recognize your
>voice, and read the fake key
Signature not valid. Sorry Bob, I'll have to call you back. That is, _if_
it's really you.
Scott Collins | "Few people realize what tremendous power there
| is in one of these things." -- Willy Wonka
......................|................................................
BUSINESS. voice:408.862.0540 fax:974.6094 [email protected]
Apple Computer, Inc. 5 Infinite Loop, MS 305-2B Cupertino, CA 95014
.......................................................................
PERSONAL. voice/fax:408.257.1746 1024:669687 [email protected]