wiretapping end to end encrypted voip calls
play

Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on - PowerPoint PPT Presentation

Jan 03, 2024 •139 likes •396 views

Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18 Introduction Man-in-the-Middle ZRTP

  1. Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schürmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18

  2. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  3. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  4. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) End-to-End Encryption & Authentication SIP + SRTP + ZRTP 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  5. Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) wiretapping difficulty End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) End-to-End Encryption & Authentication SIP + SRTP + ZRTP 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 Institute of Operating Systems and Computer Networks

  6. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Man-in-the-Middle (Evil Operator) SIP with Encryption-only: Alice SIP Server Bob INVITE B@example.com INVITE B@example.com From: mitm@localhost From: A@example.com 4 1 mitm: A@example.com modi fi ed: modi fi ed: INVITE mitm@localhost INVITE B@example.com INVITE B@example.com INVITE B@example.com From: A@example.com From: A@example.com From: A@example.com From: A@example.com 8 5 200 OK 200 OK 200 OK 200 OK From: A@example.com From: A@example.com From: A@example.com From: A@example.com 7 2 3 6 9 9 10 INVITE mitm@localhost INVITE B@example.com Bob Alice From: A@example.com connect & From: mitm@localhost Valid Session! B@example… record Valid Session! A@example… header added: mitm: A@example.com 200 OK 200 OK From: A@example.com From: A@example.com MitM Client 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 3 of 13 Institute of Operating Systems and Computer Networks

  7. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Man-in-the-Middle (Evil Operator) Encryption & Authentication with ZRTP: Alice SIP Server Bob INVITE B@example.com INVITE B@example.com From: mitm@localhost From: A@example.com 4 1 mitm: A@example.com modi fi ed: modi fi ed: INVITE mitm@localhost INVITE B@example.com INVITE B@example.com INVITE B@example.com From: A@example.com From: A@example.com From: A@example.com From: A@example.com 8 5 200 OK 200 OK 200 OK 200 OK From: A@example.com From: A@example.com From: A@example.com From: A@example.com 7 2 3 6 9 9 10 INVITE mitm@localhost INVITE B@example.com Bob Alice From: A@example.com connect & From: mitm@localhost Valid Session! B@example… record Valid Session! A@example… header added: mitm: A@example.com ZRTP SAS: ZRTP SAS: 200 OK 200 OK bz4f utd9 From: A@example.com From: A@example.com MitM Client 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 4 of 13 Institute of Operating Systems and Computer Networks

  8. Introduction Man-in-the-Middle ZRTP Attacks Conclusion ZRTP Attacks ZRTP Complex Protocol Authenticates Diffie-Hellman key exchange Authentication by comparison of Short Authentication Strings (SAS) Hash Commitment constraints online-attacker to one try per call Evaluation of Real-World Implementations Excluded closed-network implementations Excluded attacks with speech synthesis Assume correctly compared SAS 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 5 of 13 Institute of Operating Systems and Computer Networks

  9. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Evaluation Apps Application OS Version Library Acrobits Softphone iOS 5.8.1 - CSipSimple Android 1.02.03 ZRTP4PJ Jitsi Win, Lin, MacOS 2.9.0 ZRTP4J Linphone Android Android 3.1.1 bzrtp Signal Android 3.15.2 - Signal iOS 2.6.4 - Tests Paper: 7 protocol tests, 4 non-protocol tests Presentation: Most interesting results 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 6 of 13 Institute of Operating Systems and Computer Networks

  10. ZRTP in a Nutshell (Highly Simplified) F1-F4 Hello R I pvi = g svi mod p hvi = hash ( pvi ) ( h v i ) m i t C o m F 5 I R pvr = g svr mod p F 6 D H P a r t 1 ( p v r ) R I DHResult = pvr svi mod p p v i ) r t 2 ( H P a F 7 D I R DHResult = pvi svr mod p SAS = KDF ( DHResult � IDs � HashOfMessages ) Confirm F8-F10 – Verbal Comparison of SAS R I

  11. Check for Invalid Commit F1-F4 Hello R I pvi = g svi mod p hvi = hash ( pvi ) ( h v i ) m i t C o m F 5 I R pvr = g svr mod p F 6 D H P a r t 1 ( p v r ) R I DHResult = pvr svi mod p p v i ) r t 2 ( H P a F 7 D I R DHResult = pvi svr mod p hvi ? = hash ( pvi ) SAS = KDF ( DHResult � IDs � HashOfMessages ) Confirm F8-F10 – Verbal Comparison of SAS R I

  12. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Invalid Commit: Linphone 100% 16 bits (B256) 90% 20 bits (B32) 80% 70% 60% 50% 40% 30% 20% 10% 0% 0 500000 1x10 6 1.5x10 6 2x10 6 number of tries Figure: Linphone CVE-2016-6271: Probability of hitting a targeted SAS 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 8 of 13 Institute of Operating Systems and Computer Networks

  13. Introduction Man-in-the-Middle ZRTP Attacks Conclusion RFC: Error on Invalid Shared Secret ZRTP stores secrets when user confirms SAS Cache: ZRTP ID assigned to rs1 = KDF ( DHResult ) (highly simplified) Next call no longer requires Diffie-Hellman and no SAS comparison RFC "If either party discovers a cache mismatch, the user agent who makes this discovery must treat this as a possible security event and MUST alert their own user that there is a heightened risk of a MiTM attack […]" 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 9 of 13 Institute of Operating Systems and Computer Networks

  14. Introduction Man-in-the-Middle ZRTP Attacks Conclusion RFC: Error on Invalid Shared Secret Questionable requirement in RFC CSipSimple, Linphone do not implement this Bug in Jitsi (ZRTP4J) A new cache entry copies the secrets and flags from the last saved one Invalid security warning is raised for new clients 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 10 of 13 Institute of Operating Systems and Computer Networks

  15. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Shared Man-in-the-Middle Attack 1. Call between Eve & Alice, confirm SAS ⇒ rs1 A for Eve in Alice’ cache 2. Call between Eve & Bob, confirm SAS ⇒ rs1 B for Eve in Bob’s cache 3. Eve conducts MitM attack (evil operator) ⇒ No SAS confirmation, Eve has rs1 A , rs1 B in her cache 4. SIP addresses shown: Alice: B@example.com, Bob: A@example.com 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 11 of 13 Institute of Operating Systems and Computer Networks

  16. Introduction Man-in-the-Middle ZRTP Attacks Conclusion Shared Man-in-the-Middle Attack 1. Call between Eve & Alice, confirm SAS ⇒ rs1 A for Eve in Alice’ cache 2. Call between Eve & Bob, confirm SAS ⇒ rs1 B for Eve in Bob’s cache 3. Eve conducts MitM attack (evil operator) ⇒ No SAS confirmation, Eve has rs1 A , rs1 B in her cache 4. SIP addresses shown: Alice: B@example.com, Bob: A@example.com Why Does This Work? No ID binding to outer protocol ZRTP works independent of SIP addresses with random IDs ⇒ Cache uses ZRTP ID for lookup Alice and Bob’s cache lookup by Eve’s ZRTP ID 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 11 of 13 Institute of Operating Systems and Computer Networks

  17. Shared Man-in-the-Middle Signal: No cache ⇒ Secure Acrobits Softphone: RFC-compliant protection Other implementations: Insecure

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin Matthews, Kevin Snow, and Fabian Monrose Presented By Corly Leung Introduction - Google Hangout, Skype, FaceTime - Encrypting VoIP Packets -

480 views • 14 slides
Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L.

Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L.

Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L. Ballard, S. Coull, F. Monrose, G. Masson Talk held by Goran Doychev Selected Topics in Information Security and Cryptography Seminar 1 / 30 Overview 1

676 views • 42 slides
By: Jen DosSantos, Kerry Cassidy & Mike Dunn VoIP is an acronym for Voice over Internet

By: Jen DosSantos, Kerry Cassidy & Mike Dunn VoIP is an acronym for Voice over Internet

By: Jen DosSantos, Kerry Cassidy & Mike Dunn VoIP is an acronym for Voice over Internet Protocol. VoIP describes any kind of connection uses the internet to make phone calls. VoIP calls can be made from a computer to another computer, a

448 views • 13 slides
Signaling vulnerabilities in wiretapping systems Micah Sherr, Eric Cronin, Sandy Clark, and Matt

Signaling vulnerabilities in wiretapping systems Micah Sherr, Eric Cronin, Sandy Clark, and Matt

Signaling vulnerabilities in wiretapping systems Micah Sherr, Eric Cronin, Sandy Clark, and Matt Blaze Kyo Kim Introduction Law enforcement agencies use wiretapping to collect intelligence and evidence. Growing reliance in wiretapping.

444 views • 16 slides
Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit evidence that intelligence agencies are globally wiretapping Internet backbone connections Massive collection of web tra ffi c, emails, instant

512 views • 50 slides
What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

Welcome to Business Matters Todays topic: What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for Voice over Internet Protocol - Phone service through your Internet connection 2 Components of

510 views • 29 slides
Recap: Tracking Anonymous Peer-to- Peer VoIP Calls on the Internet Scott E. Coull and Amos

Recap: Tracking Anonymous Peer-to- Peer VoIP Calls on the Internet Scott E. Coull and Amos

Recap: Tracking Anonymous Peer-to- Peer VoIP Calls on the Internet Scott E. Coull and Amos Wetherbee April 7, 2006 Encoding a bit Packet flow of n bits 1. Select 2r packets from the first n-d packets 2. at random d is used to prevent

599 views • 55 slides
Quality Analysis of CloudPBX VoIP Calls Matthew Fung, Conor Morrison, Jackie Xu, Stefan Hannie,

Quality Analysis of CloudPBX VoIP Calls Matthew Fung, Conor Morrison, Jackie Xu, Stefan Hannie,

Quality Analysis of CloudPBX VoIP Calls Matthew Fung, Conor Morrison, Jackie Xu, Stefan Hannie, Mohamed Laradji, Michelle Liu, Eric Lam, Idalia Machuca, Julian Mentasti A phone call CloudPBX B A` Caller Callee A B` The dataset - a call

478 views • 27 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. A major advantage of

1.26k views • 5 slides
SPECIAL CELLULAR PHONE SP7 WIRETAPPING PROTECTION www.ledbg.eu DEVICE DESCRIPTION NO MATTER

SPECIAL CELLULAR PHONE SP7 WIRETAPPING PROTECTION www.ledbg.eu DEVICE DESCRIPTION NO MATTER

SPECIAL CELLULAR PHONE SP7 WIRETAPPING PROTECTION www.ledbg.eu DEVICE DESCRIPTION NO MATTER WHERE YOU ARE, AT HOME OR ABROAD SPECIAL CELL PHONE SP7 GUARANTEES WIRETAPPING PROTECTION IN GSM MOBILE PROTECTION IN GSM MOBILE NETWORKS ANY

196 views • 18 slides
Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet Steven M.

Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet Steven M.

Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet Steven M. Bellovin https://www.cs.columbia.edu/smb Join work with Matt Blaze, Sandy Clark, Susan Landau 1 Steven M. Bellovin December 22, 2013 A Note on

366 views • 36 slides
Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1 PRI Gateway Dedicated VoIP-ISDN PRI Gateway Plug-n-Play device VoIP access device for an existing PBX PRI trunking for an

404 views • 27 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP & SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely, 15.-16. January 2009 VoIP? PSTN: 100 year old technology, 99.999% uptime, call anyone anytime can VoIP offer that today? VoIP next

479 views • 15 slides
Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini Gianluca Dini Dept. of Ingegneria dellInformazione University of Pisa, Italy Via Diotisalvi 2, 56100 Pisa gianluca.dini@ing.unipi.it If you

467 views • 35 slides
MEF LSO: Connecting Open Source and Standards to implement and Deliver Dynamic Third Network

MEF LSO: Connecting Open Source and Standards to implement and Deliver Dynamic Third Network

min MEF LSO: Connecting Open Source and Standards to implement and Deliver Dynamic Third Network Services min Introduction to MEF and to MEF LSO - SDNFV Service Orchestration Dan Pitt, Senior Vice President, MEF MEF Created the $80B*

599 views • 39 slides
Cellular Security - What can we expect for 5G? - Yongdae Kim KAIST SysSec Lab SysSec Lab. v

Cellular Security - What can we expect for 5G? - Yongdae Kim KAIST SysSec Lab SysSec Lab. v

Cellular Security - What can we expect for 5G? - Yongdae Kim KAIST SysSec Lab SysSec Lab. v System Security Lab. @ KAIST, Korea Yongdae Kim Prof @ Electrical Engineering & Information Security Director @ Cyber Security Research

629 views • 46 slides
Trade Networks Jos e de Sousa and Isabelle Mejean Topics in International Trade University

Trade Networks Jos e de Sousa and Isabelle Mejean Topics in International Trade University

Trade Networks Jos e de Sousa and Isabelle Mejean Topics in International Trade University Paris-Saclay Master in Economics, 2nd year Motivation : Trade Frictions Samuelson (1954) and Krugman (1980) : Key importance of frictions in

556 views • 34 slides
Software Defined Networks A quick overview Based primarily on the presentations of Prof.

Software Defined Networks A quick overview Based primarily on the presentations of Prof.

Software Defined Networks A quick overview Based primarily on the presentations of Prof. Scott Shenker of UC Berkeley The Future of Networking, and the Past of Protocols Please watch the YouTube video of Shenkers talk

927 views • 49 slides
Improving RGB-D face recognition via transferring pretrained 2D networks Xingwang Xiong, Xu Wen,

Improving RGB-D face recognition via transferring pretrained 2D networks Xingwang Xiong, Xu Wen,

Improving RGB-D face recognition via transferring pretrained 2D networks Xingwang Xiong, Xu Wen, and Cheng Huang INSTITUTE O https://github.com/XingwXiong/Face3D-Pytorch OF C COMPUTING T TECHNOLOGY 3D Face Recognition Algorithm Challenge

521 views • 13 slides
Scalable Training of Inference Networks for Gaussian-Process Models Jiaxin Shi Tsinghua

Scalable Training of Inference Networks for Gaussian-Process Models Jiaxin Shi Tsinghua

Scalable Training of Inference Networks for Gaussian-Process Models Jiaxin Shi Tsinghua University Joint work with Mohammad Emtiyaz Khan Jun Zhu Gaussian Process mean function covariance function / kernel inducing points Posterior

483 views • 13 slides
routines that build mathematical understanding Janice Novakowski Vancouver Reggio-Inspired

routines that build mathematical understanding Janice Novakowski Vancouver Reggio-Inspired

routines that build mathematical understanding Janice Novakowski Vancouver Reggio-Inspired Mathematics August 29 2017 why mathematical routines? regular practice that responsive to students has multiple entry focus on a

753 views • 27 slides

More recommend