Jump to content

ZRTP: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
No edit summary
Prz (talk | contribs)
Added some material on leveraging the SIP layer to augment the authentication. - ~~~~
Line 18: Line 18:


ZRTP provides a second layer of authentication against a MitM attack, based on a form of key continuity. It does this by caching some hashed key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to [[Secure Shell|SSH]]. If the MitM is not present in the first call, he is locked out of subsequent calls. Thus, even if the SAS is never used, most MitM attacks are stopped, because they weren't present in the first call.
ZRTP provides a second layer of authentication against a MitM attack, based on a form of key continuity. It does this by caching some hashed key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to [[Secure Shell|SSH]]. If the MitM is not present in the first call, he is locked out of subsequent calls. Thus, even if the SAS is never used, most MitM attacks are stopped, because they weren't present in the first call.

ZRTP provides yet a third layer of protection against a MitM attack. The [[Internet Engineering Task Force|IETF]] plans to add integrity protection to the delivery of [[Session_Initiation_Protocol|SIP]] information, and that integrity protection will rely on a [[Public key infrastructure|PKI]]. When this eventually deploys, ZRTP can take advantage of this. See the ZRTP Internet Draft on how ZRTP can leverage an integrity-protected SIP layer to provide integrity protection for ZRTP's Diffie-Hellman exchange in the media layer. This protects against a MitM attack, without requiring the users to verbally compare the SAS. However, no VoIP clients yet offer a fully implemented SIP stack that provides end-to-end integrity protection for the delivery of SIP information. Thus, real-world implementations of ZRTP endpoints will continue to depend on SAS authentication for quite some time. Even after there is widespread availability of SIP products that offer integrity protection, many users will still be faced with the fact that the signaling path may be controlled by institutions that do not have the best interests of the end user in mind. In those cases, ZRTP's built-in SAS authentication will remain the gold standard for the prudent user.


==Implementation==
==Implementation==

Revision as of 06:53, 9 June 2008

ZRTP is a cryptographic key-agreement protocol to negotiate the keys to encrypt VoIP phone calls. ZRTP describes a method of Diffie-Hellman key agreement for Secure Real-time Transport Protocol (SRTP). It was submitted to the IETF by Phil Zimmermann, Jon Callas and Alan Johnston on March 5, 2006.

Overview

ZRTP is described in the Internet-Draft as a "key agreement protocol which performs Diffie-Hellman key exchange during call setup in-band in the Real-time Transport Protocol (RTP) media stream which has been established using some other signaling protocol such as Session Initiation Protocol (SIP). This generates a shared secret which is then used to generate keys and salt for a Secure RTP (SRTP) session." One of ZRTP's features is that it does not rely on SIP signaling for the key management, or on any servers at all. It supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.

This protocol does not require prior shared secrets or rely on a Public key infrastructure (PKI) or on certification authorities, in fact ephemeral Diffie-Hellman keys are generated on each session establishment: this allows to bypass the complexity of creating and maintaining a trusted third-party.

These keys will contribute to the generation of the session secret, from which the session key and parameters for SRTP sessions will come, along with previously shared secrets (if some): this gives protection against man in the middle (MitM) attacks, assuming the attacker was not present in the first session between the two endpoints.

To ensure that the attacker is indeed not present in the first session (when no shared secrets exist) , the Short Authentication String method is used: the two endpoint compare a value by reading it aloud. In case the two values match, then no MitM attack has been performed.

ZRTP can be used with any signaling protocol, including SIP, H.323, Jingle, and Peer-to-Peer SIP. ZRTP is independent of the signaling layer, because it does all its key negotiations in the RTP media stream.

Authentication

The Diffie-Hellman key exchange by itself does not provide protection against man in the middle (MitM) attacks. To authenticate the key exchange, ZRTP uses a Short Authentication String (SAS), which is essentially a cryptographic hash of the two Diffie-Hellman values. The SAS value is rendered to both ZRTP endpoints. To carry out authentication, this SAS value is read aloud to the communication partner over the voice connection. If the values on both ends do not match, it indicates the presence of a man-in-middle attack. If they do match, there is a high probability that no man-in-the-middle is present. The use of hash commitment in the DH exchange constrains the attacker to only one guess to generate the correct SAS in his attack, which means the SAS can be quite short. A 16-bit SAS, for example, provides the attacker only one chance out of 65536 of not being detected.

ZRTP provides a second layer of authentication against a MitM attack, based on a form of key continuity. It does this by caching some hashed key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. If the MitM is not present in the first call, he is locked out of subsequent calls. Thus, even if the SAS is never used, most MitM attacks are stopped, because they weren't present in the first call.

ZRTP provides yet a third layer of protection against a MitM attack. The IETF plans to add integrity protection to the delivery of SIP information, and that integrity protection will rely on a PKI. When this eventually deploys, ZRTP can take advantage of this. See the ZRTP Internet Draft on how ZRTP can leverage an integrity-protected SIP layer to provide integrity protection for ZRTP's Diffie-Hellman exchange in the media layer. This protects against a MitM attack, without requiring the users to verbally compare the SAS. However, no VoIP clients yet offer a fully implemented SIP stack that provides end-to-end integrity protection for the delivery of SIP information. Thus, real-world implementations of ZRTP endpoints will continue to depend on SAS authentication for quite some time. Even after there is widespread availability of SIP products that offer integrity protection, many users will still be faced with the fact that the signaling path may be controlled by institutions that do not have the best interests of the end user in mind. In those cases, ZRTP's built-in SAS authentication will remain the gold standard for the prudent user.

Implementation

ZRTP has been implemented into a program called Zfone which is available for different operating systems. Along with the source code and an SDK, it is available on Phil Zimmermann's website.

Twinkle uses GNU ccRTP and GNU ZRTP to implement the ZRTP support. All these packets are available under GPL. Ekiga has planned[1] to support ZRTP in its upcomming 3.0 release. X-Lite, eyeBeam and M5T ZRTP SAFE implement ZRTP but are proprietary.

Atelier is developing Zfone software for Symbian OS smartphones.

See also

  1. ^ See Ekigas Roadmap to 3.0