Mike Ingle quotes Matt Blaze (and I paraphrase):
[...] so the procedure for placing a secure call is to recognize each other's voice in the clear mode, go secure, and read the hash value to each other [...] you have to rely on prior knowledge of each other's voice. [...]
This is out of band WRT the encryption engine. Note that it can be used exactly like an asymmetric encryption key for authentication. You know the other persons signature/voice in advance and it is hard for an attacker to reproduce it.
[an attacker could] trick you into saying some numbers, digitally record them, and then rearrange them and play them back.
The 'replay' attack. Of course you always make the other person say the hash _and_ some (never reused?) data in a lump (re: my earlier post -- concatenate your challenge data with their a^x before signing) for instance: "Bob, please sing me the hash to the tune of 'Raindrops Keep Fallin' on My Head'" (Security can be fun).
Or introduce enough line noise so the person couldn't recognize your voice, and read the fake key
Signature not valid. Sorry Bob, I'll have to call you back. That is, _if_ it's really you. Scott Collins | "Few people realize what tremendous power there | is in one of these things." -- Willy Wonka ......................|................................................ BUSINESS. voice:408.862.0540 fax:974.6094 collins@newton.apple.com Apple Computer, Inc. 5 Infinite Loop, MS 305-2B Cupertino, CA 95014 ....................................................................... PERSONAL. voice/fax:408.257.1746 1024:669687 catalyst@netcom.com