[messaging] Viber's New End-to-End Authentication

Wasa Bee wasabee18 at gmail.com
Sat Apr 23 00:08:44 PDT 2016 

this may be the paper "Wiretapping via Mimicry: Short Voice Imitation
Man-in-the-Middle Attacks on Crypto Phones" [0]

[0] https://www.cis.uab.edu/saxena/docs/ss-ccs14.pdf

On Sat, Apr 23, 2016 at 6:10 AM, Ben Laurie <ben at links.org> wrote:

> On 20 April 2016 at 17:54, Michael Farb <mwfarb at cmu.edu> wrote:
> > Does anyone know about the end to end messaging protocol used by Viber in
> > the release they announced yesterday? I believe it’s closed source, but
> I’d
> > be curious to know if they have posted the general protocol anywhere.
> I’ve
> > not found anything yet. I’m curious to know if it’s based on the ratchet
> > used for Signal or not.
> >
> >
> https://support.viber.com/customer/portal/articles/2017401-viber-security-faq
> >
> > What I really like is the improved UX for authentication I’ve not seen
> yet.
> > They use their own real-time channel (voice) to guide the user through
> the
> > fingerprint readout. Now, real-time channels are available through many
> > tools, but I think this is the first time I’ve seen a text messaging
> service
> > do this (ZRTP in video calls and voice calls notwithstanding).
>
> I can't find it right now, but there was a paper in the last year or
> so about attacking voice channels for fingerprinting by using a mitm
> with voice synthesis. Apparently it works pretty well.
>
> >
> > What I’d like to see next: A way to prevent accepting the fingerprint
> > without reading it similar to SafeSlinger, with perhaps a shorter hash to
> > confirm.
> >
> > Cheers,
> > Mike
> >
> > Michael W. Farb
> > Research Programmer, Carnegie Mellon University CyLab
> > www.cylab.cmu.edu/safeslinger
> >
> > _______________________________________________
> > Messaging mailing list
> > Messaging at moderncrypto.org
> > https://moderncrypto.org/mailman/listinfo/messaging
> >
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160423/fde29dca/attachment.html>

More information about the Messaging mailing list