ZRTP is key exchange protocol designed to enable VoIP devices to agree keys for encrypting media streams (voice or video) using SRTP. ZRTP is defined in an Internet draft http://tools.ietf.org/html/draft-zimmermann-avt-zrtp.

The authors of ZRTP describe it as "Media Path Key Agreement for Secure RTP". This means that the ZRTP end points use the media stream rather than the signaling stream to establish the SRTP encryption keys. Many other key exchange protocols use the signaling stream (for example SIP or H.323) for media key exchange. The disadvantage of this approach is that the key exchange is visible to any intermediate device that processes the signaling stream.

ZRTP’s use of the media path for key agreement ensures that media keys are agreed directly between the caller and call recipient and those keys are not visible to any intermediate signalling device. This makes ZRTP an ideal choice for use on networks where signalling is processed by intermediate devices and where it is important to ensure call confidentiality.

Key Exchange

ZRTP is designed to provide a secure method for two VoIP end-point to securely agree encryption keys that are subsequently used to encrypt media streams (voice or video) using SRTP. ZRTP uses the Diffie-Hellman algorithm which enables secure key agreement and avoids the overhead of certificate management or any other prior setup. ZRTP supports two Diffie-Hellman variants, finite field and elliptic curve. The keys agreed by ZRTP are ephemeral which means that they are discarded at the end of a call, avoiding the need for key management.

Man-in-the-Middle protection

ZRTP includes features for both detecting and preventing MitM attacks. MitM is a classic method of eavesdropping on encrypted communications. An attacker intercepts the communication and relays messages between the two end-points making each believe they have a secure channel to the other. ZRTP’s MitM defences include the use of a Short Authentication String (SAS), and Key Continuity.

The SAS is a cryptographic hash of some of the Diffie-Hellman values which is displayed as a word-pair on the user interface of each ZRTP device. The words are selected from the PGP word-list . This list generates 65,356 different SAS values. Users compare the displayed strings by reading them to each other. To remain undetected a MitM attacker would have to guess the correct SAS, there is only a 1 in 65,536 chance of a correct guess. Key commitment adds further defences by re-using some key material in subsequent key agreements. This feature means that a MitM would need to be present on the very first call between any pair of callers.

End-User reassurance

The SAS provides useful reassurance to end-users that they have a secure line. By reading and comparing a word pair, users can be certain that the key exchange has completed.

ZRTP on Mobile Networks

ZRTP’s use of the media stream for key agreement makes it a good choice for use on mobile networks where the network operators process the signaling protocol. A number of implementations are available for Symbian and Windows mobile cell phones.

ZRTP/S for traditional telephony (GSM / ISDN)

ZRTP has been extended by PrivateWave in partnership with Philip Zimmermann to work on traditional telephony data communications (GSM CSD, UMTS CSD, ISDN Data call, SAT CSD, etc) narrowband channels (from 4800bps).

ZRTP Implementations

There are multiple ZRTP protocol implementation such as
  • GNU ZRTP opensource (GPL) c++ implementation of ZRTP with DH key exchange
  • iCall Open ZRTP opensource (LGPL) c++ implementation of ZRTP with DH key exchange
  • M5T ZRTP SAFE is a ZRTP stack implemented independently.
  • Zfone Project first reference c implementation of ZRTP by Philip Zimmermann
  • zrtp.org ZORG opensource c++ and java implementations of ZRTP with Elliptic Curve key exchange optimized for Mobile networks and integrated with PJSIP

There are also a number of open source and commercial implementations. Implementations fall into 3 groups, phone implementations (embedded or proxies), PBX implementations and gateway implementations.

Phone Implementations

  • iCall 7 uses Open ZRTP.
  • PhonerLite uses an own proprietary ZRTP implementation.
  • PJSIP is integrated with ZORG zrtp.org implementation integrated, secure, cross-platform VoIP Stack. It's released under GPL/dual license. For commercial use within ZRTP integration, licensing is provided by PrivateWave.
  • PrivateWave PrivateGSM CSD is the first implementation of ZRTP over GSM (non-voip) for Symbian OS.
  • PrivateWave PrivateGSM VoIP is the implementation of ZRTP over IP (GPRS,EDGE,UMTS) for Blackberry, iPhone and Nokia S60 phones.
  • SIP Communicator currently has basic support for ZRTP through the ZRTP4J lib. Full support is previewed for the 1.0-rc1 release, scheduled for the end of 2008.
  • Taki softphone for BlackBerry 10 OS uses PJSIP with GNU ZRTP.
  • TiVi by Tilts Visiem a mobile VoIP SIP client with ZRTP support for Symbian, encrypts voice and video calls.
  • Twinkle uses GNU ccRTP and GNU ZRTP to implement the ZRTP support. All these packages are available under the GNU General Public License.
  • Zfone is available for different operating systems, including Mac OS X, Windows, and Linux. It's free during its beta releases, but will be available under a commercial license.

PBX Implementations

  • An Asterisk implementation is available on the Zfone project web site.
  • A Freeswitch implementation is available as part of the core Freeswitch distribution web site.

Gateway Implementations

  • The UM Labs SIP Security Controller provides a gateway implementation of ZRTP which enables a ZRTP capable phone to make calls to any SIP PBX.
  • Project based implementations based on the Philip Zimmermann's Asterisk Patch are provided also by KHAMSA SA as a custom solution.


Created by: umlabs, Last modification: Thu 16 of Jul, 2015 (03:34 UTC) by svoip
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+