ZRTP
ZRTP (composed of "Z" and " Real-time Transport Protocol ") is a cryptographic key exchange protocol to negotiate the keys for encryption between two endpoints of an IP telephone call (VoIP) based on the Real-time Transport Protocol. It uses Diffie-Hellman key exchange and the Secure Real-Time Transport Protocol (SRTP) for encryption. ZRTP was developed by Phil Zimmermann with help from Bryce Wilcox-O'Hearn , Colin Plumb, Jon Callas, and Alan Johnston. It was published in 2011 by the Internet Engineering Task Force (IETF) as RFC 6189 .
overview
The term ZRTP is made up of “Z”, a reference to the inventor Phil Zimmermann , and “RTP”, which stands for Real-Time Transport Protocol . ZRTP is described in the Request for Comments as a
key agreement protocol which performs Diffie-Hellman key exchange during call setup in-band in the Real-time Transport Protocol (RTP) media stream which has been established using some other signaling protocol such as Session Invitation Protocol (SIP). This generates a shared secret which is then used to generate keys and salt for a Secure RTP (SRTP) session.
"Key exchange protocol, which during the call setup executes a Diffie-Hellman key exchange within a real-time transport protocol data stream (RTP) that was set up using another signaling protocol such as the Session Initiation Protocol (SIP). This generates a shared secret, which is then used to generate keys and salts for a Secure RTP session (SRTP). "
One of the features of ZRTP is that it does not rely on SIP signaling or any servers for key management. It supports opportunistic encryption by automatically detecting ZRTP support on the other side.
The protocol does not require any shared secrets or public key infrastructure (PKI) or certification authorities; in fact, perishable Diffie-Hellman keys are created when each session is established: This eliminates the hassle of setting up and maintaining a trustworthy third party.
These keys are used to generate the session secret, from which the session key and parameters for the SRTP session are derived, together with any previous shared secrets: This offers protection against middleman attacks as long as the attacker was not present in the first session between the two endpoints .
ZRTP can be used with any signaling protocol, including SIP, H.323 , Jingle, and distributed hash table systems. ZRTP is independent of the signaling layer, since all key negotiations take place via the RTP data stream.
ZRTP / S, a ZRTP protocol extension, can be operated on any type of existing telephone network, including GSM, UMTS, ISDN, PSTN, SATCOM , UHF / VHF radio, because it is a narrow-band bitstream-oriented protocol and performs all key negotiations within of the data stream between two terminals.
Alan Johnston called the protocol "ZRTP" because in his earliest Internet drafts it was based on header extensions added to RTP packets, which made ZRTP a variant of RTP. In later drafts the packet format was changed to make it syntactically different from RTP. In light of this change, ZRTP is now a pseudo-acronym .
Authentication
Nonce
The Diffie-Hellman key exchange itself does not protect against middleman attacks. In order to ensure (without an existing shared secret) that the attacker is actually not present in the first session, a nonce called "Short Authentication String" (SAS) is used: The communicating parties verbally check a value displayed on both terminals for agreement. If the value does not match, it indicates a middleman attack. (At the end of 2006, the US American NSA developed an experimental voice analysis and synthesis system to overcome this protective measure, but this type of attack is not expected to pose a serious threat to protocol security.) The SAS is used to authenticate the key exchange, which is basically a is the cryptological checksum of the two Diffie-Hellman values. The SAS value is displayed on both ZRTP terminals. In order to carry out an authentication, this value is read aloud to the communication partner via the voice connection. If the values do not match on both sides, this indicates a middleman attack; if they match, a middleman attack is very unlikely. The use of hash commitment in DH exchanges restricts the attacker to only one attempt at generating the correct SAS, which means that the SAS can be quite short. For example, a 16-bit SAS leaves an attacker only one of 65,536 ways to go undetected.
Key continuity
ZRTP provides a second layer of authentication against a middleman attack based on some form of key continuity. It ensures this by caching some hashed information from the last key for use in the next call in order to flow into the shared secret for the DH exchange on the next call, which gives it key continuity properties, analogous to SSH . If the middleman is not already present at the first meeting, he is excluded from subsequent meetings. As a result, most middleman attacks are halted even if the SAS is never used because the middleman was not present for the first session.
history
The procedure originates from the VoIP software Zfone developed by Phil Zimmermann , for which it was developed as a central part of the security concept. Zfone was first presented to the public in March 2006. On March 5, 2006, a protocol specification was submitted to the Internet Engineering Task Force (IETF) by Phil Zimmermann, Jon Callas, and Alan Johnston . At that time, a patent application was made for essential parts of the process, which is automatically licensed free of charge if implemented as required. The IETF published the protocol specification on April 11, 2011 as RFC 6189 .
Operating environment
- ZRTP was implemented and used for the following platforms: Windows , Linux , macOS , iPhone , Symbian , Blackberry OS , Android
- It has been implemented in the following languages: C , C ++ , Java
- It has been used successfully with the following transport media: WLAN , UMTS , EDGE , GPRS , satellite IP modem , GSM CSD , ISDN
Implementations
ZRTP was implemented in GNU ZRTP , which is used in Twinkle and SFLphone , and in GNU ZRTP4J, which is used in Jitsi (formerly "SIP Communicator"). It has also been implemented in ortp for use in Linphone . Commercial implementations of ZRTP are in PrivateGSM from PrivateWave and more recently in Silent Phone from Silent Circle, a company founded by Phil Zimmermann. Also support Freeswitch and PhonerLite the protocol.
See also
Web links
- The Zfone Project - Specification and Reference Implementation in C
- ZORG zrtp.org - open source implementation in C ++ and Java optimized for mobile phones under GNU Affero General Public License integrated in the telephony framework PJSIP and MJSIP
- RFC 6189 - ZRTP: Media Path Key Agreement for Unicast Secure RTP
- Open ZRTP - open source implementation in C ++ under GNU Lesser General Public License integrated in the PJSIP framework, maintained by iCall
swell
- ^ ZRTP Published Today as RFC 6189. Alan B. Johnston's Blog. April 12, 2011, accessed January 13, 2013.
- ^ A b c Phil Zimmermann: Internet Draft. ZRTP: Media Path Key Agreement for Unicast Secure RTP . June 17, 2010. Retrieved June 17, 2010.
- ^ Cryptologic Quarterly , Volume 26, Number 4.
- ↑ Patent US7730309 : Method and system for key management in voice over internet protocol. Published July 5, 2007 (“ZRTP Patent”).
- ^ Christiane Rütten: patent encrypted . In: c't magazine for computer technology. No. 2, 2007, p. 22 (conversation with Phil Zimmermann).
- ↑ GNU ZRTP ( Memento of May 13, 2008 in the Internet Archive )
- ↑ GNU ZRTP4J ( Memento of October 12, 2009 in the Internet Archive )
- ↑ Archived copy ( memento of the original dated December 9, 2013 in the Internet Archive ) Info: The archive link has been inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ ortp
- ↑ PrivateWave
- ^ Silent Circle
