ZRTP

From Wikipedia, the free encyclopedia

ZRTP is an extension to Real-time Transport Protocol (RTP) which describes a method of Diffie-Hellman key agreement for Secure Real-time Transport Protocol (SRTP). It was submitted to the IETF by Phil Zimmermann, Jon Callas and Alan Johnston on March 5, 2006. Session Initiation Protocol (SIP) is a VoIP standard.

Contents 1 Overview 2 Authentication 3 Implementation 4 See also 5 External links and references

[edit] Overview

ZRTP is described in the Internet-Draft as a "key agreement protocol which performs Diffie-Hellman key exchange during call setup in-band in the Real-time Transport Protocol (RTP) media stream which has been established using some other signaling protocol such as Session Initiation Protocol (SIP). This generates a shared secret which is then used to generate keys and salt for a Secure RTP (SRTP) session." One of ZRTP's features is that it does not require prior shared secrets or a Public key infrastructure (PKI), yet it still protects against a man in the middle (MitM) attack. It also does not rely on SIP signaling for the key management, or on any servers at all. It supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.

ZRTP can be used with any signaling protocol, including SIP, H.323, Jabber, and Peer-to-Peer SIP. ZRTP is independent of the signaling layer, because it does all its key negotiations in the RTP media stream.

[edit] Authentication

The Diffie-Hellman key exchange by itself does not provide protection against man in the middle (MitM) attacks. To authenticate the key exchange, ZRTP uses a Short Authentication String (SAS), which is essentially a cryptographic hash of the two Diffie-Hellman values. The SAS value is rendered to both ZRTP endpoints. To carry out authentication, this SAS value is read aloud to the communication partner over the voice connection. If the values on both ends do not match, it indicates the presence of a man-in-middle attack. If they do match, there is a high probability that no man-in-the-middle is present. The use of hash commitment in the DH exchange constrains the attacker to only one guess to generate the correct SAS in his attack, which means the SAS can be quite short. A 16-bit SAS, for example, provides the attacker only one chance out of 65536 of not being detected.

ZRTP provides a second layer of authentication against a MitM attack, based on a form of key continuity. It does this by caching some hashed key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. If the MitM is not present in the first call, he is locked out of subsequent calls. Thus, even if the SAS is never used, most MitM attacks are stopped, because they weren't present in the first call.

[edit] Implementation

ZRTP has been implemented into a program called Zfone which is available for different Operating Systems. Along with the source code and an SDK, it is available on Phil Zimmermann's website.

Twinkle also implements ZRTP and is available under GPL for the Linux OS.

[edit] See also

• Opportunistic encryption
• Zfone
• PGPfone
• Pretty Good Privacy

[edit] External links and references

• Internet Draft: ZRTP: Media Path Key Agreement for Secure RTP