ZRTP: Difference between revisions

Content deleted Content added

Inline

Revision as of 19:26, 29 May 2012

ZRTP is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over Internet Protocol (VoIP) phone telephony call based on the Real-time Transport Protocol. It uses Diffie-Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption. ZRTP was developed by Phil Zimmermann, with help from Zooko Wilcox-O'Hearn and Colin Plumb and was submitted to the Internet Engineering Task Force (IETF) by Phil Zimmermann, Jon Callas and Alan Johnston on March 5, 2006 ^[1] and published on April 11, 2011 as RFC 6189.

Overview

ZRTP is described in the Internet Draft as a "key agreement protocol which performs Diffie-Hellman key exchange during call setup in-band in the Real-time Transport Protocol (RTP) media stream which has been established using some other signaling protocol such as Session Initiation Protocol (SIP). This generates a shared secret which is then used to generate keys and salt for a Secure RTP (SRTP) session." One of ZRTP's features is that it does not rely on SIP signaling for the key management, or on any servers at all. It supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.

This protocol does not require prior shared secrets or rely on a Public key infrastructure (PKI) or on certification authorities, in fact ephemeral Diffie-Hellman keys are generated on each session establishment: this allows the complexity of creating and maintaining a trusted third-party to be bypassed.

These keys contribute to the generation of the session secret, from which the session key and parameters for SRTP sessions are derived, along with previously shared secrets (if any): this gives protection against man-in-the-middle (MiTM) attacks, so long as the attacker was not present in the first session between the two endpoints.

To ensure that the attacker is indeed not present in the first session (when no shared secrets exist), the Short Authentication String method is used: the communicating parties verbally cross-check a shared value displayed at both endpoints. If the values do not match, a man-in-the-middle attack is indicated. (In late 2006 the US NSA developed an experimental voice analysis and synthesis system to defeat this protection,^[2] but this class of attack is not believed to be a serious risk to the protocol's security.^[1])

ZRTP can be used with any signaling protocol, including SIP, H.323, Jingle, and distributed hash table systems. ZRTP is independent of the signaling layer, because all its key negotiations occur via the RTP media stream.

ZRTP/S, a ZRTP protocol extension, can run on any kind of legacy telephony networks including GSM, UMTS, ISDN, PSTN, SATCOM, UHF/VHF radio, because it is a narrow-band bitstream-oriented protocol and performs all key negotiations inside the bitstream between two endpoints.

Alan Johnston named the protocol ZRTP because in its earliest Internet drafts^[1] it was based on adding header extensions to RTP packets, which made ZRTP a variant of RTP. In later drafts the packet format changed to make it syntactically distinguishable from RTP. In view of that change, ZRTP is now a pseudo-acronym.

Authentication

The Diffie-Hellman key exchange by itself does not provide protection against a man-in-the-middle attack. To authenticate the key exchange, ZRTP uses a Short Authentication String (SAS), which is essentially a cryptographic hash of the two Diffie-Hellman values. The SAS value is rendered to both ZRTP endpoints. To carry out authentication, this SAS value is read aloud to the communication partner over the voice connection. If the values on both ends do not match, a man-in-middle attack is indicated; if they do match, a man-in-the-middle attack is highly unlikely. The use of hash commitment in the DH exchange constrains the attacker to only one guess to generate the correct SAS in the attack, which means the SAS may be quite short. A 16-bit SAS, for example, provides the attacker only one chance out of 65536 of not being detected.

ZRTP provides a second layer of authentication against a MitM attack, based on a form of key continuity. It does this by caching some hashed key information for use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. If the MitM is not present in the first call, he is locked out of subsequent calls. Thus, even if the SAS is never used, most MitM attacks are stopped because the MitM was not present in the first call.

Free ZRTP implementation

SFLphone has ZRTP support integrated and is available under GNU General Public License.
Twinkle uses GNU ccRTP and GNU ZRTP to implement the ZRTP support. All these packages are available under the GNU General Public License.
Jitsi supports ZRTP through the ZRTP4J lib. Full support is available in the release candidates and is also scheduled for inclusion in the final 1.0 release.
FreeSWITCH currently has basic support for ZRTP through the libzrtp SDK.
CSipSimple is an Android mobile client which supports ZRTP through the ZRTP4PJ lib that uses GNU ZRTP adapted for pjsip. This feature is developmental and must be installed from a nightly build of the application.
Phoner Lite

Operating environment

ZRTP protocol has been implemented and used on the following platforms: Windows, Linux, Mac OS X, iPhone, Symbian, BlackBerry, Android.
ZRTP protocol has been implemented in the following languages: C, C++, Java
ZRTP protocol has been used successfully on the following transport media: WiFi, UMTS, EDGE, GPRS, Satellite IP modem, GSM CSD, ISDN

References

^ ^a ^b ^c Zimmermann, Phil (2010-06-17). "Internet-Draft. ZRTP: Media Path Key Agreement for Unicast Secure RTP". Retrieved 2010-06-17. Cite error: The named reference "zrtp" was defined multiple times with different content (see the help page).
^ Cryptologic Quarterly, Volume 26, Number 4

External links

The Zfone Project - ZRTP Specification and reference ZRTP protocol implementation in C
RFC 6189 - ZRTP: Media Path Key Agreement for Unicast Secure RTP
ZORG zrtp.org opensource ZRTP protocol implementation in c++ and Java optimized for mobile phones under GNU General Public License integrated with PJSIP and MJSIP telephony framework
GNU ZRTP opensource ZRTP protocol implementation in c++ and Java under GNU General Public License integrated with GNU TELEPHONY framework
Open ZRTP opensource ZRTP protocol implementation in c++ under GNU Lesser General Public License integrated with PJSIP framework, maintained by iCall

[zrtp-1] Zimmermann, Phil (2010-06-17). "Internet-Draft. ZRTP: Media Path Key Agreement for Unicast Secure RTP". Retrieved 2010-06-17. Cite error: The named reference "zrtp" was defined multiple times with different content (see the help page).

[2] Cryptologic Quarterly, Volume 26, Number 4

[1]

[2]

@@ Line 64: / Line 64: @@
 * [http://zfoneproject.com/zrtp_ietf.html The Zfone Project] - ZRTP Specification and reference ZRTP protocol implementation in C
 * [http://tools.ietf.org/html/rfc6189 RFC 6189] - ZRTP: Media Path Key Agreement for Unicast Secure RTP
+* [http://www.zrtp.org/ ZORG zrtp.org] opensource ZRTP protocol implementation in c++ and Java optimized for mobile phones under [[GNU General Public License]] integrated with [http://www.pjsip.org PJSIP] and [http://www.mjsip.org MJSIP] telephony framework
+* [http://www.gnutelephony.org/index.php/GNU_ZRTP GNU ZRTP] opensource ZRTP protocol implementation in c++ and Java under [[GNU General Public License]] integrated with [http://www.gnutelephony.org GNU TELEPHONY] framework
+* [https://code.google.com/p/open-zrtp/ Open ZRTP] opensource ZRTP protocol implementation in c++ under [[GNU Lesser General Public License]]  integrated with [http://www.pjsip.org PJSIP] framework, maintained by [[iCall]]
 {{DEFAULTSORT:Zrtp}}