[messaging] Viber's New End-to-End Authentication

Michael Farb mwfarb at cmu.edu
Fri Apr 22 14:37:06 PDT 2016


> On Apr 21, 2016, at 11:10 AM, Frederic Jacobs <lists at fredericjacobs.com> wrote:

> Interestingly, I think they are performing the authentication over an un-authenticated channel. It is my understanding that the "secret identification” is not tied to the authentication of the WebRTC session.
> 
> I think that SilentCircle has a more elegant solution when it comes to integrating two different authentication mechanisms (one for voice and one for messaging).
> They add the ZINA's (their ratchet) identity key in the ZRTP confirm packet, so it’s part of the SAS that is verified on calls. It’s nice because SAS are shorter than key fingerprints and yet reasonably secure.

Thanks for sharing this Frederic. I’ll have to take a closer look at SilentCircle. It would be good to know if users can habituate to avoid reading the SAS.


More information about the Messaging mailing list