[guardian-dev] The sound of an encrypted audio stream

Lee Azzarello lee at guardianproject.info
Wed Jul 24 19:28:35 EDT 2013 

Hello Frank,

Are you referring to the two papers published through American
universities on the subject? I'm looking for a way to evaluate the
development of this science since I don't know of any generic
utilities that a script kiddie could use to do phrase recovery on a
SRTP stream.

>From the content of one paper, it sounds like the science is in the
development process, rather than a solution to bring truth to the
assertion that "encryption over a VBR codec is broken." If you have
any conclusive publications on the subject could you share them?

Thanks,
Lee

On Wed, Jul 24, 2013 at 7:18 PM, Frank Rieger <frank at ccc.de> wrote:
> VBR codecs should under no circumstances be used for encrypted calls. The science for recovering enough structure to gain partial content information is way too well developed to ignore this. This has been a constant point of trouble with ZRTP-solutions and needs to be handled (crudely) at the phone software level or (better) with a patch to the repsective ZRTP library that rejects VBR codecs based on the header information.
>
> Best regards,
>
> Frank Rieger
>
> ---
>
> On 23.07.2013, at 22:47, Lee Azzarello wrote:
>
>> Hello all,
>>
>> There have been some conversations recently on IRC and on the web
>> about VBR audio codecs and plaintext recovery.
>>
>> It's an interesting conversation and one which will change a lot in
>> our times. While I was testing some video call clients, I saw a bug
>> between a custom build of Linphone on Android and a nightly of Jitsi
>> on OS X where Linphone tried to play back the encrypted audio through
>> the speaker without first decrypting it.
>>
>> This is what a SRTP audio stream sounds like to a wiretap. The codec
>> is speex at 16 kHZ, I believe it is VBR but I'm not certain.
>>
>> http://ge.tt/9FG7Tem/v/0?c
>>
>> -lee
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/frank%40ccc.de
>>
>> You are subscribed as: frank at ccc.de
>>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>
> You are subscribed as: lee at guardianproject.info

More information about the Guardian-dev mailing list