Zum Inhalt springen

ZRTP

aus Wikipedia, der freien Enzyklopädie
Dies ist eine alte Version dieser Seite, zuletzt bearbeitet am 4. Februar 2010 um 22:17 Uhr durch Kbrose (Diskussion | Beiträge) (Undid revision 341858403 by EagleEye96 (talk) no this is complete fiction, ref does not support claim, never heard author make the claim either). Sie kann sich erheblich von der aktuellen Version unterscheiden.

ZRTP is a cryptographic key-agreement protocol to negotiate the keys to encrypt Voice over Internet Protocol (VoIP) phone telephony calls. ZRTP describes a method of Diffie-Hellman key exchange for Secure Real-time Transport Protocol (SRTP). It was invented by Phil Zimmermann, Bryce Wilcox-O'Hearn and Colin Plumb and was submitted to the IETF by Phil Zimmermann, Jon Callas and Alan Johnston on March 5, 2006.

Overview

ZRTP is described in the Internet Draft as a "key agreement protocol which performs Diffie-Hellman key exchange during call setup in-band in the Real-time Transport Protocol (RTP) media stream which has been established using some other signaling protocol such as Session Initiation Protocol (SIP). This generates a shared secret which is then used to generate keys and salt for a Secure RTP (SRTP) session." One of ZRTP's features is that it does not rely on SIP signaling for the key management, or on any servers at all. It supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.

This protocol does not require prior shared secrets or rely on a Public key infrastructure (PKI) or on certification authorities, in fact ephemeral Diffie-Hellman keys are generated on each session establishment: this allows to bypass the complexity of creating and maintaining a trusted third-party.

These keys will contribute to the generation of the session secret, from which the session key and parameters for SRTP sessions will come, along with previously shared secrets (if some): this gives protection against man-in-the-middle (MiTM) attacks, assuming the attacker was not present in the first session between the two endpoints.

To ensure that the attacker is indeed not present in the first session (when no shared secrets exist) , the Short Authentication String method is used: the two users at the endpoints verbally compare a shared value displayed at both ends. If the values don't match, it indicates the presence of a MiTM wiretapper.

ZRTP can be used with any signaling protocol, including SIP, H.323, Jingle, and Peer-to-Peer SIP. ZRTP is independent of the signaling layer, because it does all its key negotiations in the RTP media stream.

ZRTP/S, a ZRTP protocol extension, can run on any kind of legacy telephony networks including GSM, UMTS, ISDN, PSTN, SATCOM, UHF/VHF radio, because it's a narrowband bitstream oriented protocol and do all key negotiations inside the bitstream between two endpoints (like RTP media stream).

Authentication

The Diffie-Hellman key exchange by itself does not provide protection against man-in-the-middle (MitM) attacks. To authenticate the key exchange, ZRTP uses a Short Authentication String (SAS), which is essentially a cryptographic hash of the two Diffie-Hellman values. The SAS value is rendered to both ZRTP endpoints. To carry out authentication, this SAS value is read aloud to the communication partner over the voice connection. If the values on both ends do not match, it indicates the presence of a man-in-middle attack. If they do match, there is a high probability that no man-in-the-middle is present. The use of hash commitment in the DH exchange constrains the attacker to only one guess to generate the correct SAS in his attack, which means the SAS can be quite short. A 16-bit SAS, for example, provides the attacker only one chance out of 65536 of not being detected.

ZRTP provides a second layer of authentication against a MitM attack, based on a form of key continuity. It does this by caching some hashed key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. If the MitM is not present in the first call, he is locked out of subsequent calls. Thus, even if the SAS is never used, most MitM attacks are stopped, because they weren't present in the first call.

ZRTP provides yet a third layer of protection against a MitM attack. The IETF plans to add integrity protection to the delivery of Session Initiation Protocol (SIP) information,Vorlage:Citation needed and that integrity protection will rely on a PKI. When this eventually deploys, ZRTP can take advantage of this. See the ZRTP Internet Draft on how ZRTP can leverage an integrity-protected SIP layer to provide integrity protection for ZRTP's Diffie-Hellman exchange in the media layer. This protects against a MitM attack, without requiring the users to verbally compare the SAS. However, no VoIP clients yet offer a fully implemented SIP stack that provides end-to-end integrity protection for the delivery of SIP information. Thus, real-world implementations of ZRTP endpoints will continue to depend on SAS authentication for quite some time. Even after there is widespread availability of SIP products that offer integrity protection, many users will still be faced with the fact that the signaling path may be controlled by institutions that do not have the best interests of the end user in mind. In those cases, ZRTP's built-in SAS authentication will remain the gold standard for the prudent user.

Free ZRTP implementation

  • Twinkle uses GNU ccRTP and GNU ZRTP to implement the ZRTP support. All these packages are available under the GNU General Public License.
  • SIP Communicator currently has basic support for ZRTP through the ZRTP4J lib. Full support is previewed for the 1.0-rc1 release, scheduled for the end of 2008.
  • FreeSWITCH currently has basic support for ZRTP through the libzrtp SDK.
  • PJSIP has support for ZRTP in the GPL/dual licensed VoIP Stack to let third party quickly build-up encrypted voip clients. This secure and opensource VoIP stack is provided and used in PrivateGSM
  • A free PrivateGSM version for Nokia phones to receive encrypted GSM phone calls, based on ZRTP/S open encryption technology, is available for download.
  • A free firmware update is available for the DrayTek Vigor 2820Vn which adds ZRTP to both phone ports. This is an automatic system requiring no PC.

See also

References

Vorlage:Reflist

de:ZRTP

Abgerufen von „https://de.wikipedia.org/w/index.php?title=ZRTP&oldid=122782770