ZRTP

ZRTP is key exchange protocol designed to enable VoIP devices to agree keys for encrypting media streams (voice or video) using SRTP. ZRTP is defined in an Internet draft http://tools.ietf.org/html/draft-zimmermann-avt-zrtp.

The authors of ZRTP describe it as "Media Path Key Agreement for Secure RTP". This means that the ZRTP end points use the media stream rather than the signaling stream to establish the SRTP encryption keys. Many other key exchange protocols use the signaling stream (for example SIP or H.323) for media key exchange. The disadvantage of this approach is that the key exchange is visible to any intermediate device that processes the signaling stream.

ZRTP’s use of the media path for key agreement ensures that media keys are agreed directly between the caller and call recipient and those keys are not visible to any intermediate signalling device. This makes ZRTP an ideal choice for use on networks where signalling is processed by intermediate devices and where it is important to ensure call confidentiality.

Key Exchange

ZRTP is designed to provide a secure method for two VoIP end-point to securely agree encryption keys that are subsequently used to encrypt media streams (voice or video) using SRTP. ZRTP uses the Diffie-Hellman algorithm which enables secure key agreement and avoids the overhead of certificate management or any other prior setup. ZRTP supports two Diffie-Hellman variants, finite field and elliptic curve. The keys agreed by ZRTP are ephemeral which means that they are discarded at the end of a call, avoiding the need for key management.

Man-in-the-Middle protection

ZRTP includes features for both detecting and preventing MitM attacks. MitM is a classic method of eavesdropping on encrypted communications. An attacker intercepts the communication and relays messages between the two end-points making each believe they have a secure channel to the other. ZRTP’s MitM defences include the use of a Short Authentication String (SAS), and Key Continuity.

The SAS is a cryptographic hash of some of the Diffie-Hellman values which is displayed as a word-pair on the user interface of each ZRTP device. The words are selected from the PGP word-list . This list generates 65,356 different SAS values. Users compare the displayed strings by reading them to each other. To remain undetected a MitM attacker would have to guess the correct SAS, there is only a 1 in 65,536 chance of a correct guess. Key commitment adds further defences by re-using some key material in subsequent key agreements. This feature means that a MitM would need to be present on the very first call between any pair of callers.

End-User reassurance

The SAS provides useful reassurance to end-users that they have a secure line. By reading and comparing a word pair, users can be certain that the key exchange has completed.

ZRTP on Mobile Networks

ZRTP’s use of the media stream for key agreement makes it a good choice for use on mobile networks where the network operators process the signaling protocol. A number of implementations are available for Symbian and Windows mobile cell phones.

ZRTP/S for traditional telephony (GSM / ISDN)

ZRTP has been extended by PrivateWave in partnership with Philip Zimmermann to work on traditional telephony data communications (GSM CSD, UMTS CSD, ISDN Data call, SAT CSD, etc) narrowband channels (from 4800bps).

ZRTP Implementations

There are multiple ZRTP protocol implementation such as

• GNU ZRTP opensource (GPL) c++ implementation of ZRTP with DH key exchange
• iCall Open ZRTP opensource (LGPL) c++ implementation of ZRTP with DH key exchange
• M5T ZRTP SAFE is a ZRTP stack implemented independently.