Zphone and the "rich little attack"

Topic: 

I was discussing his Zphone encrypting telephone system with Phil Zimmermann today. In his system, phone calls are encrypted with opportunistic, certificateless cryptography, which I applaud because it allows zero user interface and not centralization. It is vulnerable to "man in the middle" attacks if the MITM can be present in all communications.

His defence against MITM is to allow the users of the system to do a spoken authentication protocol at any time in their series of conversations. While it's good to do it on the first call, his system works even when done later. In their conversation, they can, using spoken voice, read off a signature of the crypto secrets that are securing their conversation. The signatures must match -- if they don't, a man-in-the-middle is possibly interfering.

I brought up an attack he had thought of and called the Rich Little attack, involving impersonation with a combination of a good voice impersonation actor and hypothetical computerized speech modification that turns a good impersonator into a near perfect one. Phil believes that trying to substitute voice in a challenge that can come at any time, in any form, in any conversation is woefully impractical.

A small amount of thought made me produce this attack: Two impersonators. Early on in a series of conversations, the spy agency trying to break in brings in two impersonators who have listened to Alice and Bob respectively (we are hearing their calls) and learned their mannerisms. A digital audio processor helps convert the tones of their voice. That's even easier on an 8khz channel. At some point with a break in the conversation, the MITMs jump into the conversation. Suddenly Alice is talking to Fake-Bob, and Bob is talking to Fake-Alice. The impersonators immediately act like good Zphone users, and suggest that a verification of the signature be done. If Alice and Bob have read the basics of Zphone, they will agree that this is a great idea, and participate in the verification. This works because in an MITM attack, the shared secret is really two secrets, one between Alice and the MITM, and another between the MITM and Bob. But the impersonators have those secrets and will read out the same signatures Alice and Bob see on their screens, even though these numbers are different if Alice and Bob were to try and talk directly.

The Actors must then coordinate a return to the real conversation. They don't want to impersonate for very long. After they do, however, both Alice and Bob will believe that they performed the key verification, like good little users. Based on the documentation of the program, they will feel no need to do another verification. Only if they are paranoid about this attack will they ever try a verification, because with Zphone, one verification is enough for all calls into the future (and also back into the past.) If they try another one, the MITMs will get caught, but there's really no call for it.

A good time to do this might be the start of the second conversation. It would be harder to do for people who do the challenge early in the first call. For example, Alice calls Bob. Fake-Bob answers, and Fake Alice is listening and starts a call to real Bob, opening the same way real Alice did -- perhaps even playing her opening audio. "Why don't we get this authentication out of the way right away?" they both suggest.

Since Bob was called a few seconds later, fake-Bob has to make his session with Alice a bit longer. That's easy, he just takes a bit longer to read the signature for example. Then we lead to a segue into the real conversation and the real parties are connected. Bob doesn't realize his call is slightly shorter than Alice's.

Another great time to do it is at the end of the conversation. As the spies hear the conversation winding down, they could break in and replace both parties. Then they could say, "Oh wait, a minute, before we go, let's do the verification." Then they could do it, and have no need to return the parties to a normal conversation, they just complete the goodbyes.

This attack can be defeated. Starting the first call with the challenge might seem good but that's actually fairly predictable and the MITM could do this in theory. Even easier if the parties are strangers (though their voices are well known to the spies) because they will be less able to detect nuances of voice that impersonators mail fail to produce. The best way to defeat it is to insist on two verifications, initiated by the different parties. The trick to this attack is that both parties think there was a verification initiated by the other.

Another way to defeat it is, sometime well after a verification, to ask, "So, in that verification we did, did you ask for it, or did I?"

However, people won't think to ask these questions, or to double verify, unless they are looking for this attack. And they can't do this if the end-of-conversation social engineering trick is used.

This is a very sophisticated attacker, mind you. Somebody who can do this can probably get you a lot of simpler ways. So I am not going to lose a lot of sleep over it. But it goes to show that holes can be found in all sorts of ways you won't expect.

Comments

Hi Brad. I like your blog post regarding the Rich Little attack on Zfone. But please spell my name with two Ns. :-)

Regards,
Phil

Add new comment