[messaging] Pour one out for "voice authentication"
torfone at ukr.net
Mon Jan 5 01:07:32 PST 2015
Philip Zimmermann wrote in 1996 (PGPfone Owner’s Manual):
"There is still one difficult ploy that Eve can do to pull off the attack anyway. She can imitate Bob’s voice to Alice, and Alice’s voice to Bob, reading a different authentication word sequence to each of them. I call this the “Rich Little” attack (named after a voice impersonator who did a really great Dick Nixon). This is a daring attack -- meaning there is a high risk of the attack being detected."
Professional actor is much cheaper and more real for mounting MitM in real time, given the distortions introduced by the codec.
Last year I worked on deniable voice authentication for Session Initiation of the Axolotl-like email protocol without using PKI, but declined due to insecurity. The idea is in document:
More information about the Messaging