At Fri, 07 Nov 2008 10:53:16 -0500, Suresh Krishnan wrote: > > Hi Eric, > > Eric Rescorla wrote: > >> I still don't see how Bob detects the attack. Consider the following > >> message flow. > >> > >> 1) Alice->Bob : INVITE (Fingerprint(Alice)) (No Tampering) > >> 2) Alice->Bob : Certificate(Alice) (No Tampering) > >> 3) Bob->Eve : Certificate(Bob) > >> 4) Eve->Alice : Certificate(Eve) > >> 5) Bob->Eve : 200 OK (Fingerprint(Bob)) > >> 6) Eve->Alice : 200 OK (Fingerprint(Eve)) > >> 7) Alice->Eve : Media encrypted with Eve's public key > >> 8) Eve->Bob : Media (potentially different from step 7) encrypted with > >> Bob's public key > >> > >> After this exchange Eve can intercept and modify media flowing from > >> Alice to Bob without Bob detecting the attack. > > > > Well, I think there is some question about whether this is an attack. > > > > Everyone's beliefs about the system are correct: > > > > 1. Alice thinks she's talking to Eve. She is. > > Yes. > > > 2. Bob thinks he's talking to Eve. She is. > > Not really. Bob thinks he is talking to Alice. The identity, fingerprint > and certificate of his peer in the signaling exchange belong to Alice. > He is encrypting all the outgoing media for Alice.
I don't think what you're describing works the way you're suggesting it does, because there is a *handshake* between the peers. Any asymmetry between the Alice->Bob and Bob->Alice flows is detected in the handshake. -Ekr _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
