ZRTP: Media Path Key Agreement for Unicast Secure RTP

This document defines ZRTP, a protocol for media path Diffie-Hellman exchange to agree on a session key and parameters for establishing unicast Secure Real-time Transport Protocol (SRTP) sessions for VoIP applications. The ZRTP protocol is media path keying because it is multiplexed on the same port as RTP and does not require support in the signaling protocol. ZRTP does not assume a Public Key Infrastructure (PKI) or require the complexity of certificates in end devices. For the media session, ZRTP provides confidentiality, protection against man-in-the-middle (MiTM) attacks, and, in cases where the signaling protocol provides end-to-end integrity protection, authentication. ZRTP can utilize a Session Description Protocol (SDP) attribute to provide discovery and authentication through the signaling channel. To provide best effort SRTP, ZRTP utilizes normal RTP/AVP profiles. ZRTP secures media sessions which include a voice media stream, and can also secure media sessions which do not include voice by using an optional digital signature.

[1]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[2]  Patrick Juola,et al.  Whole-word phonetic distances and the PGPfone alphabet , 1996, Proceeding of Fourth International Conference on Spoken Language Processing. ICSLP '96.

[3]  Patrick Juola Isolated-Word Confusion Metrics and the PGPfone Alphabet , 1996, ArXiv.

[4]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[5]  Stephen E. Deering,et al.  Path MTU Discovery for IP version 6 , 1996, RFC.

[6]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[7]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[8]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[9]  B. Schneier Twofish : A 128-bit block cipher , 1998 .

[10]  M. Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[11]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[12]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[13]  Morris J. Dworkin,et al.  SP 800-38A 2001 edition. Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[14]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[15]  Elaine B. Barker,et al.  The Keyed-Hash Message Authentication Code (HMAC) | NIST , 2002 .

[16]  Tero Kivinen,et al.  More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) , 2003, RFC.

[17]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[18]  Steven M. Bellovin,et al.  The Security Flag in the IPv4 Header , 2003, RFC.

[19]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality [including updates through 7/20/2007] , 2004 .

[20]  Mats Näslund,et al.  The Secure Real-time Transport Protocol (SRTP) , 2004, RFC.

[21]  Hong Liu,et al.  Using E.164 numbers with the Session Initiation Protocol (SIP) , 2004, RFC.

[22]  Magnus Nyström,et al.  Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 , 2005, Request for Comments.

[23]  Donald E. Eastlake,et al.  Randomness Requirements for Security , 2005, RFC.

[24]  Jon Peterson,et al.  Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP) , 2006, RFC.

[25]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[26]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography | NIST , 2006 .

[27]  Mark Handley,et al.  SDP: Session Description Protocol , 1998, RFC.

[28]  Dan Wing,et al.  Session Description Protocol (SDP) Security Descriptions for Media Streams , 2006, RFC.

[29]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[30]  Jari Arkko,et al.  Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP) , 2006, RFC.

[31]  Henning Schulzrinne,et al.  Session Initiation Protocol (SIP) Torture Test Messages , 2006, RFC.

[32]  Alan B. Johnston,et al.  Session Initiation Protocol (SIP) Call Control - Conferencing for User Agents , 2006, RFC.

[33]  Randall R. Stewart,et al.  Stream Control Transmission Protocol , 2000, RFC.

[34]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[35]  Elaine B. Barker,et al.  SP 800-57. Recommendation for Key Management, Part 1: General (revised) , 2007 .

[36]  Stephan Wenger,et al.  RTP Topologies , 2008, RFC.

[37]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[38]  Dan Wing,et al.  SIP Identity using Media Path , 2008 .

[39]  Stephen T. Kent,et al.  Additional Diffie-Hellman Groups for Use with IETF Standards , 2008, RFC.

[40]  Charles V. Wright,et al.  Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[41]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[42]  Lidong Chen,et al.  Recommendation for Key Derivation Using Pseudorandom Functions (Revised) , 2009 .

[43]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[44]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[45]  Dan Wing,et al.  Requirements and Analysis of Media Security Management Protocols , 2009, RFC.

[46]  Jerome A. Solinas,et al.  Suite B Certificate and Certificate Revocation List (CRL) Profile , 2010, RFC.

[47]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[48]  Jonathan D. Rosenberg,et al.  Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols , 2010, RFC.

[49]  Eric Rescorla,et al.  Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) , 2010, RFC.

[50]  Elaine B. Barker,et al.  Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes , 2010 .

[51]  Margaret Salter,et al.  Fundamental Elliptic Curve Cryptography Algorithms , 2011, RFC.

[52]  Elaine B. Barker,et al.  SP 800-131A. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .

[53]  Kevin M. Igoe,et al.  AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP) , 2011 .

[54]  Alfred Menezes,et al.  NSA Suite B , 2011, Encyclopedia of Cryptography and Security.

[55]  David A. McGrew The Use of AES-192 and AES-256 in Secure RTP , 2011, RFC.

[56]  Peter Saint-Andre Use of ZRTP in Jingle RTP Sessions , 2011 .

[57]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[58]  Colin Perkins,et al.  Guidelines for the Use of Variable Bit Rate Audio with Secure RTP , 2012, RFC.

[59]  Andrey Jivsov Elliptic Curve Cryptography (ECC) in OpenPGP , 2012, RFC.