ZRTP is key exchange protocol designed to enable VoIP devices to agree keys for encrypting media streams (voice or video) using SRTP. ZRTP is defined in an Internet draft http://tools.ietf.org/html/draft-zimmermann-avt-zrtp.
The authors of ZRTP describe it as "Media Path Key Agreement for Secure RTP". This means that the ZRTP end points use the media stream rather than the signaling stream to establish the SRTP encryption keys. Many other key exchange protocols use the signaling stream (for example SIP or H.323) for media key exchange. The disadvantage of this approach is that the key exchange is visible to any intermediate device that processes the signaling stream.
ZRTP’s use of the media path for key agreement ensures that media keys are agreed directly between the caller and call recipient and those keys are not visible to any intermediate signalling device. This makes ZRTP an ideal choice for use on networks where signalling is processed by intermediate devices and where it is important to ensure call confidentiality.
The SAS is a cryptographic hash of some of the Diffie-Hellman values which is displayed as a word-pair on the user interface of each ZRTP device. The words are selected from the PGP word-list . This list generates 65,356 different SAS values. Users compare the displayed strings by reading them to each other. To remain undetected a MitM attacker would have to guess the correct SAS, there is only a 1 in 65,536 chance of a correct guess. Key commitment adds further defences by re-using some key material in subsequent key agreements. This feature means that a MitM would need to be present on the very first call between any pair of callers.
The ZRTP/S will promote itself as de-facto substitute of every proprietary technology used for point-to-point traditional phone call encryption and is available for free and OEM use.
The authors of ZRTP describe it as "Media Path Key Agreement for Secure RTP". This means that the ZRTP end points use the media stream rather than the signaling stream to establish the SRTP encryption keys. Many other key exchange protocols use the signaling stream (for example SIP or H.323) for media key exchange. The disadvantage of this approach is that the key exchange is visible to any intermediate device that processes the signaling stream.
ZRTP’s use of the media path for key agreement ensures that media keys are agreed directly between the caller and call recipient and those keys are not visible to any intermediate signalling device. This makes ZRTP an ideal choice for use on networks where signalling is processed by intermediate devices and where it is important to ensure call confidentiality.
Key Exchange
ZRTP is designed to provide a secure method for two VoIP end-point to securely agree encryption keys that are subsequently used to encrypt media streams (voice or video) using SRTP. ZRTP uses the Diffie-Hellman algorithm which enables secure key agreement and avoids the overhead of certificate management or any other prior setup. ZRTP supports two Diffie-Hellman variants, finite field and elliptic curve. The keys agreed by ZRTP are ephemeral which means that they are discarded at the end of a call, avoiding the need for key management.Man-in-the-Middle protection
ZRTP includes features for both detecting and preventing MitM attacks. MitM is a classic method of eavesdropping on encrypted communications. An attacker intercepts the communication and relays messages between the two end-points making each believe they have a secure channel to the other. ZRTP’s MitM defences include the use of a Short Authentication String (SAS), and Key Continuity.The SAS is a cryptographic hash of some of the Diffie-Hellman values which is displayed as a word-pair on the user interface of each ZRTP device. The words are selected from the PGP word-list . This list generates 65,356 different SAS values. Users compare the displayed strings by reading them to each other. To remain undetected a MitM attacker would have to guess the correct SAS, there is only a 1 in 65,536 chance of a correct guess. Key commitment adds further defences by re-using some key material in subsequent key agreements. This feature means that a MitM would need to be present on the very first call between any pair of callers.
End-User reassurance
The SAS provides useful reassurance to end-users that they have a secure line. By reading and comparing a word pair, users can be certain that the key exchange has completed.ZRTP on Mobile Networks
ZRTP’s use of the media stream for key agreement makes it a good choice for use on mobile networks where the network operators process the signaling protocol. A number of implementations are available for Symbian and Windows mobile cell phones.ZRTP/S for traditional telephony (GSM / ISDN)
ZRTP has been extended by KHAMSA SA in partnership with Philip Zimmermann to work on traditional telephony data communications (GSM CSD, UMTS CSD, ISDN Data call, SAT CSD, etc) narrowband channels (from 4800bps).The ZRTP/S will promote itself as de-facto substitute of every proprietary technology used for point-to-point traditional phone call encryption and is available for free and OEM use.
ZRTP Implementations
ZRTP is available as an SDK from the Zfone project web site, there are also a number of open source and commercial implementations. Implementations fall into 3 groups, phone implementations (embedded or proxies), PBX implementations and gateway implementations.Phone Implementations
- Zfone is available for different operating systems, including Mac OS X, Windows, and Linux. It's free during its beta releases, but will be available under a commercial license.
- KHAMSA SA's PrivateGSM is the first implementation of ZRTP over GSM (non-voip) for Symbian OS. A VoIP client based on PJSIP opensource ZRTP secured VoIP stack will be released in Q4 2009 for Symbian and Blackberry.
- PJSIP is a ZRTP integrated, secure, cross-platform VoIP Stack. It's released under GPL/dual license. For commercial use within ZRTP integration, licensing is provided by KHAMSA SA.
- M5T ZRTP SAFE is a ZRTP stack implemented independently.
- TiVi by Tilts Visiem a mobile VoIP SIP client with ZRTP support for Symbian, encrypts voice and video calls.
- Twinkle uses GNU ccRTP and GNU ZRTP to implement the ZRTP support. All these packages are available under the GNU General Public License.
- SIP Communicator currently has basic support for ZRTP through the ZRTP4J lib. Full support is previewed for the 1.0-rc1 release, scheduled for the end of 2008.
PBX Implementations
- An Asterisk implementation is available on the Zfone project web site.
Gateway Implementations
- The UM Labs SIP Security Controller provides a gateway implementation of ZRTP which enables a ZRTP capable phone to make calls to any SIP PBX.
- Project based implementations based on the Philip Zimmermann's Asterisk Patch are provided also by KHAMSA SA as a custom solution.
References
- ZRTP Internet Draft
- Zfone project
- RTP (RFC 3261)
- SRTP (RFC 3711)
- PGP Wordlist
Comments