Hi Alan,
Thanks,
I am still not clear about when encryption starts. Figure 1 shows SRTP
before the confirm message.
The following text in section 3.2.4 with figure 1
"The endpoints can now switch to SRTP and begin packet encryption. The
ZRTP Initiator and Responder use their own keying material for the SRTP
session. No MKI is used and a 32 bit authentication tag is used."
Both hints that you can start encryption right after the DHpart1 and
DHpart2 messages. And so it got me wondering about synchronization.
If the idea is for each side to send a confirm message as the first
encrypted packet this should be stated and it will work if the packet is
not lost.
If you meant that only after receiving confirmack you can start
encryption then there is still a synchronization problem.
Roni
-----Original Message-----
From: Alan Johnston [mailto:alan at sipstation.com]
Sent: Tuesday, February 28, 2006 4:26 PM
To: Even, Roni
Cc: avt at ietf.org; Philip Zimmermann
Subject: Re: [AVT] draft-zimmermann-avt-zrtp-00.txt
Hi Roni,
Thanks for your comments - see mine below.
Thanks,
Alan
Even, Roni wrote:
Hi,
I read the draft and find it interesting I have some questions.
1. The key exchange is done after the RTP connection is established,
this means that until the end of key exchange both sides will send
non-encrypted information.
Correct.
I think that the document should address the
issue. One way is to recommend using no-op packets until the system
will
start to encrypt and indicating this to the user.
This is an excellent idea to use no-op packets. The Zfone
implementation uses a GUI and tones to indicate the status of the call
to the user (insecure, securing, or secure).
2. It is not clear to me how does the receiver know which is the first
packet that is encrypted.
The first packet that is encrypted is the Confirm1 message. It has a
known plain text string in the SRTP payload so that the endpoint can
verify that decryption has been successful. The other side then sends a
Confirm2 message to confirm the encryption on the other side. After the
Conf2ACK, the key agreement is over and normal SRTP packets with media
can then be exchanged.
3. In section 10 you have "If both UAs support ZRTP, they will first
try
ZRTP before attempting SRTP". I assume that it means that even though
the sides already have a shared secret they should not start SRTP and
do
ZRTP exchange first.
Correct.
What is the reason for that. Based on my first
comment it will make sense to start SRTP when starting to send media
and
maybe use re-key based on ZRTP.
We were trying to avoid doing a double encryption, where the media was
first encrypted as SRTP using a master key and salt from the signaling,
then encrypting again with ZRTP using DH. Instead, it would be better
to exchange a master key and salt in the signaling, then mix this secret
in with the DH shared secret. If for some reason, ZRTP fails, then the
two UAs should do SRTP using the exchanged master keys and salt.
4. In section 3.1 "If none of these are supported, an RTP packet
containing
comfort noise can be generated to carry a ZRTP message." I
understand
that ZRTP is not only for audio so comfort noise is not a video or
application payload. The common mode is no-op which was defined to all
media types.
Yes - we had forgotten about the no-op - it is the correct choice.
Thank
Roni Even
-----Original Message-----
From: Alan Johnston [mailto:alan at sipstation.com]
Sent: Monday, February 27, 2006 3:57 PM
To: avt at ietf.org
Cc: Philip Zimmermann
Subject: [AVT] draft-zimmermann-avt-zrtp-00.txt
All,
We have just submitted a new Internet-Draft
draft-zimmermann-avt-zrtp-00.txt. Until it becomes available in the
archives, you can get a copy at:
http://www.philzimmermann.com/zfone/draft-zimmermann-avt-zrtp-00.txt
http://www.philzimmermann.com/zfone/draft-zimmermann-avt-zrtp-00.html
We will request a slot in AVT in Dallas to discuss. Discussion about
the RTP extensions and mechanism are best held on the AVT list while
discussions about key management for SRTP are best held on the MMUSIC
list, with some cross posting as needed.
Thanks,
Alan
- - -
ZRTP: Extensions to RTP for Diffie-Hellman Key Agreement for SRTP
draft-zimmermann-avt-zrtp-00
Abstract
This document defines ZRTP, RTP (Real-time Transport Protocol) header
extensions for a Diffie-Hellman exchange to agree on a session key
and parameters for establishing Secure RTP (SRTP) sessions. The ZRTP
protocol is completely self-contained in RTP and does not require
support in the signaling protocol or assume a Public Key
Infrastructure (PKI) infrastructure. For the media session, ZRTP
provides confidentiality and, in cases where a secret is available
from the signaling protocol, authentication.
_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www1.ietf.org/mailman/listinfo/avt