idnits 2.17.1 draft-zimmermann-avt-zrtp-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 10, 2009) is 5273 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '4' on line 2226 ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4753 (Obsoleted by RFC 5903) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) -- Obsolete informational reference (is this intentional?): RFC 4474 (Obsoleted by RFC 8224) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Zimmermann 3 Internet-Draft Zfone Project 4 Intended status: Informational A. Johnston, Ed. 5 Expires: May 14, 2010 Avaya 6 J. Callas 7 PGP Corp. 8 November 10, 2009 10 ZRTP: Media Path Key Agreement for Secure RTP 11 draft-zimmermann-avt-zrtp-16 13 Abstract 15 This document defines ZRTP, a protocol for media path Diffie-Hellman 16 exchange to agree on a session key and parameters for establishing 17 Secure Real-time Transport Protocol (SRTP) sessions. The ZRTP 18 protocol is media path keying because it is multiplexed on the same 19 port as RTP and does not require support in the signaling protocol. 20 ZRTP does not assume a Public Key Infrastructure (PKI) or require the 21 complexity of certificates in end devices. For the media session, 22 ZRTP provides confidentiality, protection against man-in-the-middle 23 (MiTM) attacks, and, in cases where the signaling protocol provides 24 end-to-end integrity protection, authentication. ZRTP can utilize a 25 Session Description Protocol (SDP) attribute to provide discovery and 26 authentication through the signaling channel. To provide best effort 27 SRTP, ZRTP utilizes normal RTP/AVP profiles. 29 Status of this Memo 31 This Internet-Draft is submitted to IETF in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF), its areas, and its working groups. Note that 36 other groups may also distribute working documents as Internet- 37 Drafts. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 The list of current Internet-Drafts can be accessed at 45 http://www.ietf.org/ietf/1id-abstracts.txt. 47 The list of Internet-Draft Shadow Directories can be accessed at 48 http://www.ietf.org/shadow.html. 50 This Internet-Draft will expire on May 14, 2010. 52 Copyright Notice 54 Copyright (c) 2009 IETF Trust and the persons identified as the 55 document authors. All rights reserved. 57 This document is subject to BCP 78 and the IETF Trust's Legal 58 Provisions Relating to IETF Documents 59 (http://trustee.ietf.org/license-info) in effect on the date of 60 publication of this document. Please review these documents 61 carefully, as they describe your rights and restrictions with respect 62 to this document. Code Components extracted from this document must 63 include Simplified BSD License text as described in Section 4.e of 64 the Trust Legal Provisions and are provided without warranty as 65 described in the BSD License. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 70 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 6 72 3.1. Key Agreement Modes . . . . . . . . . . . . . . . . . . . 7 73 3.1.1. Diffie-Hellman Mode Overview . . . . . . . . . . . . 7 74 3.1.2. Preshared Mode Overview . . . . . . . . . . . . . . . 9 75 3.1.3. Multistream Mode Overview . . . . . . . . . . . . . . 9 76 4. Protocol Description . . . . . . . . . . . . . . . . . . . . 10 77 4.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 10 78 4.1.1. Protocol Version Negotiation . . . . . . . . . . . . 11 79 4.1.2. Algorithm Negotiation . . . . . . . . . . . . . . . . 13 80 4.2. Commit Contention . . . . . . . . . . . . . . . . . . . . 14 81 4.3. Matching Shared Secret Determination . . . . . . . . . . 15 82 4.3.1. Calculation and comparison of hashes of shared 83 secrets . . . . . . . . . . . . . . . . . . . . . . . 16 84 4.3.2. Handling a Shared Secret Cache Mismatch . . . . . . . 17 85 4.4. DH and non-DH key agreements . . . . . . . . . . . . . . 18 86 4.4.1. Diffie-Hellman Mode . . . . . . . . . . . . . . . . . 19 87 4.4.1.1. Hash Commitment in Diffie-Hellman Mode . . . . . 19 88 4.4.1.2. Responder Behavior in Diffie-Hellman Mode . . . . 20 89 4.4.1.3. Initiator Behavior in Diffie-Hellman Mode . . . . 21 90 4.4.1.4. Shared Secret Calculation for DH Mode . . . . . . 21 91 4.4.2. Preshared Mode . . . . . . . . . . . . . . . . . . . 23 92 4.4.2.1. Commitment in Preshared Mode . . . . . . . . . . 24 93 4.4.2.2. Initiator Behavior in Preshared Mode . . . . . . 24 94 4.4.2.3. Responder Behavior in Preshared Mode . . . . . . 25 95 4.4.2.4. Shared Secret Calculation for Preshared Mode . . 26 96 4.4.3. Multistream Mode . . . . . . . . . . . . . . . . . . 27 97 4.4.3.1. Commitment in Multistream Mode . . . . . . . . . 27 98 4.4.3.2. Shared Secret Calculation for Multistream Mode . 28 99 4.5. Key Derivations . . . . . . . . . . . . . . . . . . . . . 29 100 4.5.1. The ZRTP Key Derivation Function . . . . . . . . . . 29 101 4.5.2. Deriving ZRTPSess Key and SAS in DH or Preshared 102 modes . . . . . . . . . . . . . . . . . . . . . . . . 30 103 4.5.3. Deriving the rest of the keys from s0 . . . . . . . . 31 104 4.6. Confirmation . . . . . . . . . . . . . . . . . . . . . . 33 105 4.6.1. Updating the Cache of Shared Secrets . . . . . . . . 33 106 4.6.1.1. Cache Update Following a Cache Mismatch . . . . . 34 107 4.7. Termination . . . . . . . . . . . . . . . . . . . . . . . 35 108 4.7.1. Termination via Error message . . . . . . . . . . . . 35 109 4.7.2. Termination via GoClear message . . . . . . . . . . . 35 110 4.7.2.1. Key Destruction for GoClear message . . . . . . . 37 111 4.7.3. Key Destruction at Termination . . . . . . . . . . . 37 112 4.8. Random Number Generation . . . . . . . . . . . . . . . . 37 113 4.9. ZID and Cache Operation . . . . . . . . . . . . . . . . . 38 114 4.9.1. Cacheless implementations . . . . . . . . . . . . . . 39 116 5. ZRTP Messages . . . . . . . . . . . . . . . . . . . . . . . . 39 117 5.1. ZRTP Message Formats . . . . . . . . . . . . . . . . . . 41 118 5.1.1. Message Type Block . . . . . . . . . . . . . . . . . 41 119 5.1.2. Hash Type Block . . . . . . . . . . . . . . . . . . . 42 120 5.1.2.1. Implicit Hash and HMAC algorithm . . . . . . . . 43 121 5.1.3. Cipher Type Block . . . . . . . . . . . . . . . . . . 44 122 5.1.4. Auth Tag Type Block . . . . . . . . . . . . . . . . . 45 123 5.1.5. Key Agreement Type Block . . . . . . . . . . . . . . 45 124 5.1.6. SAS Type Block . . . . . . . . . . . . . . . . . . . 47 125 5.1.7. Signature Type Block . . . . . . . . . . . . . . . . 48 126 5.2. Hello message . . . . . . . . . . . . . . . . . . . . . . 49 127 5.3. HelloACK message . . . . . . . . . . . . . . . . . . . . 51 128 5.4. Commit message . . . . . . . . . . . . . . . . . . . . . 52 129 5.5. DHPart1 message . . . . . . . . . . . . . . . . . . . . . 55 130 5.6. DHPart2 message . . . . . . . . . . . . . . . . . . . . . 57 131 5.7. Confirm1 and Confirm2 messages . . . . . . . . . . . . . 59 132 5.8. Conf2ACK message . . . . . . . . . . . . . . . . . . . . 60 133 5.9. Error message . . . . . . . . . . . . . . . . . . . . . . 61 134 5.10. ErrorACK message . . . . . . . . . . . . . . . . . . . . 62 135 5.11. GoClear message . . . . . . . . . . . . . . . . . . . . . 63 136 5.12. ClearACK message . . . . . . . . . . . . . . . . . . . . 63 137 5.13. SASrelay message . . . . . . . . . . . . . . . . . . . . 64 138 5.14. RelayACK message . . . . . . . . . . . . . . . . . . . . 66 139 5.15. Ping message . . . . . . . . . . . . . . . . . . . . . . 67 140 5.16. PingACK message . . . . . . . . . . . . . . . . . . . . . 68 141 6. Retransmissions . . . . . . . . . . . . . . . . . . . . . . . 69 142 7. Short Authentication String . . . . . . . . . . . . . . . . . 71 143 7.1. SAS Verified Flag . . . . . . . . . . . . . . . . . . . . 72 144 7.2. Signing the SAS . . . . . . . . . . . . . . . . . . . . . 73 145 7.2.1. OpenPGP Signatures . . . . . . . . . . . . . . . . . 74 146 7.2.2. NSA Suite B Signatures with X.509v3 Certs . . . . . . 76 147 7.3. Relaying the SAS through a PBX . . . . . . . . . . . . . 77 148 7.3.1. PBX Enrollment and the PBX Enrollment Flag . . . . . 79 149 8. Signaling Interactions . . . . . . . . . . . . . . . . . . . 80 150 8.1. Binding the media stream to the signaling layer via 151 the Hello Hash . . . . . . . . . . . . . . . . . . . . . 82 152 8.1.1. Integrity-protected signaling enables 153 integrity-protected DH exchange . . . . . . . . . . . 83 154 8.2. Deriving the SRTP secret (srtps) from the signaling 155 layer . . . . . . . . . . . . . . . . . . . . . . . . . . 85 156 8.3. Codec Selection for Secure Media . . . . . . . . . . . . 86 157 9. False ZRTP Packet Rejection . . . . . . . . . . . . . . . . . 86 158 10. Intermediary ZRTP Devices . . . . . . . . . . . . . . . . . . 88 159 11. The ZRTP Disclosure flag . . . . . . . . . . . . . . . . . . 89 160 11.1. Guidelines on Proper Implementation of the Disclosure 161 Flag . . . . . . . . . . . . . . . . . . . . . . . . . . 91 162 12. RTP Header Extension Flag for ZRTP . . . . . . . . . . . . . 92 163 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 92 164 14. Appendix - Media Security Requirements . . . . . . . . . . . 93 165 15. Security Considerations . . . . . . . . . . . . . . . . . . . 95 166 15.1. Self-healing Key Continuity Feature . . . . . . . . . . . 98 167 16. Implementaion Guidelines . . . . . . . . . . . . . . . . . . 99 168 17. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 100 169 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 100 170 18.1. Normative References . . . . . . . . . . . . . . . . . . 100 171 18.2. Informative References . . . . . . . . . . . . . . . . . 102 172 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 105 174 1. Introduction 176 ZRTP is a key agreement protocol which performs Diffie-Hellman key 177 exchange during call setup in the media path, and is transported over 178 the same port as the Real-time Transport Protocol (RTP) [RFC3550] 179 media stream which has been established using a signaling protocol 180 such as Session Initiation Protocol (SIP) [RFC3261]. This generates 181 a shared secret which is then used to generate keys and salt for a 182 Secure RTP (SRTP) [RFC3711] session. ZRTP borrows ideas from PGPfone 183 [pgpfone]. A reference implementation of ZRTP is available as Zfone 184 [zfone]. 186 The ZRTP protocol has some nice cryptographic features lacking in 187 many other approaches to media session encryption. Although it uses 188 a public key algorithm, it does not rely on a public key 189 infrastructure (PKI). In fact, it does not use persistent public 190 keys at all. It uses ephemeral Diffie-Hellman (DH) with hash 191 commitment, and allows the detection of man-in-the-middle (MiTM) 192 attacks by displaying a short authentication string (SAS) for the 193 users to read and verbally compare over the phone. It has Perfect 194 Forward Secrecy, meaning the keys are destroyed at the end of the 195 call, which precludes retroactively compromising the call by future 196 disclosures of key material. But even if the users are too lazy to 197 bother with short authentication strings, we still get reasonable 198 authentication against a MiTM attack, based on a form of key 199 continuity. It does this by caching some key material to use in the 200 next call, to be mixed in with the next call's DH shared secret, 201 giving it key continuity properties analogous to SSH. All this is 202 done without reliance on a PKI, key certification, trust models, 203 certificate authorities, or key management complexity that bedevils 204 the email encryption world. It also does not rely on SIP signaling 205 for the key management, and in fact does not rely on any servers at 206 all. It performs its key agreements and key management in a purely 207 peer-to-peer manner over the RTP packet stream. 209 In cases where the short authentication string (SAS) cannot be 210 verbally compared by two human users, the SAS can be authenticated by 211 exchanging an optional signature over the SAS (described in 212 Section 7.2). 214 ZRTP can be used and discovered without being declared or indicated 215 in the signaling path. This provides a best effort SRTP capability. 216 Also, this reduces the complexity of implementations and minimizes 217 interdependency between the signaling and media layers. However, 218 when ZRTP is indicated in the signaling via the zrtp-hash SDP 219 attribute, ZRTP has additional useful properties. By sending a hash 220 of the ZRTP Hello message in the signaling, ZRTP provides a useful 221 binding between the signaling and media paths, which is explained in 222 Section 8.1. When this is done through a signaling path that has 223 end-to-end integrity protection, the DH exchange is automatically 224 protected from a MiTM attack, which is explained in Section 8.1.1. 226 ZRTP is designed for unicast media sessions. For multiparty secure 227 conferencing, separate ZRTP sessions may be negotiated between each 228 party and the conference bridge. 230 2. Terminology 232 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 233 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 234 document are to be interpreted as described in [RFC2119]. 236 3. Overview 238 This section provides a description of how ZRTP works. This 239 description is non-normative in nature but is included to build 240 understanding of the protocol. 242 ZRTP is negotiated the same way a conventional RTP session is 243 negotiated in an offer/answer exchange using the standard AVP/RTP 244 profile. The ZRTP protocol begins after two endpoints have utilized 245 a signaling protocol such as SIP and are ready to exchange media. If 246 ICE [I-D.ietf-mmusic-ice] is being used, ZRTP begins after ICE has 247 completed its connectivity checks. 249 ZRTP is multiplexed on the same ports as RTP. It uses a unique 250 header that makes it clearly differentiable from RTP or STUN. 252 For environments in which sending ZRTP packets to non-ZRTP endpoints 253 might cause problems and signaling path discovery is not an option, 254 ZRTP endpoints include the RTP header extension flag for ZRTP in 255 normal RTP packets sent at the start of a session as a probe to 256 discover if the other endpoint supports ZRTP. If the flag is 257 received from the other endpoint, ZRTP messages can then be 258 exchanged. 260 A ZRTP endpoint initiates the exchange by sending a ZRTP Hello 261 message to the other endpoint. The purpose of the Hello message is 262 to confirm the endpoint supports the protocol and to see what 263 algorithms the two ZRTP endpoints have in common. 265 The Hello message contains the SRTP configuration options, and the 266 ZID. Each instance of ZRTP has a unique 96-bit random ZRTP ID or ZID 267 that is generated once at installation time. ZIDs are discovered 268 during the Hello message exchange. The received ZID is used to look 269 up retained shared secrets from previous ZRTP sessions with the 270 endpoint. 272 A response to a ZRTP Hello message is a ZRTP HelloACK message. The 273 HelloACK message simply acknowledges receipt of the Hello. Since RTP 274 commonly uses best effort UDP transport, ZRTP has retransmission 275 timers in case of lost datagrams. There are two timers, both with 276 exponential backoff mechanisms. One timer is used for 277 retransmissions of Hello messages and the other is used for 278 retransmissions of all other messages after receipt of a HelloACK. 280 If an integrity protected signaling channel is available, a hash of 281 the Hello message can be sent. This allows rejection of false 282 injected ZRTP Hello messages by an attacker. 284 Hello and other ZRTP messages also contain a hash image that is used 285 to link the messages together. This allows rejection of false 286 injected ZRTP messages during an exchange. 288 3.1. Key Agreement Modes 290 After both endpoints exchange Hello and HelloACK messages, the key 291 agreement exchange can begin with the ZRTP Commit message. ZRTP 292 supports a number of key agreement modes including both Diffie- 293 Hellman and non-Diffie-Hellman modes as described in the following 294 sections. 296 The Commit message may be sent immediately after both endpoints have 297 completed the Hello/HelloACK discovery handshake. Or it may be 298 deferred until later in the call, after the participants engage in 299 some unencrypted conversation. The Commit message may be manually 300 activated by a user interface element, such as a GO SECURE button, 301 which becomes enabled after the Hello/HelloACK discovery phase. This 302 emulates the user experience of a number of secure phones in the PSTN 303 world [comsec]. However, it is expected that most simple ZRTP user 304 agents will omit such buttons and proceed directly to secure mode by 305 sending a Commit message immediately after the Hello/HelloACK 306 handshake. 308 3.1.1. Diffie-Hellman Mode Overview 310 An example ZRTP call flow is shown in Figure 1 below. Note that the 311 order of the Hello/HelloACK exchanges in F1/F2 and F3/F4 may be 312 reversed. That is, either Alice or Bob might send the first Hello 313 message. Note that the endpoint which sends the Commit message is 314 considered the initiator of the ZRTP session and drives the key 315 agreement exchange. The Diffie-Hellman public values are exchanged 316 in the DHPart1 and DHPart2 messages. SRTP keys and salts are then 317 calculated. 319 Alice Bob 320 | | 321 | Alice and Bob establish a media session. | 322 | They initiate ZRTP on media ports | 323 | | 324 | F1 Hello (version, options, Alice's ZID) | 325 |-------------------------------------------------->| 326 | HelloACK F2 | 327 |<--------------------------------------------------| 328 | Hello (version, options, Bob's ZID) F3 | 329 |<--------------------------------------------------| 330 | F4 HelloACK | 331 |-------------------------------------------------->| 332 | | 333 | Bob acts as the initiator | 334 | | 335 | Commit (Bob's ZID, options, hash value) F5 | 336 |<--------------------------------------------------| 337 | F6 DHPart1 (pvr, shared secret hashes) | 338 |-------------------------------------------------->| 339 | DHPart2 (pvi, shared secret hashes) F7 | 340 |<--------------------------------------------------| 341 | | 342 | Alice and Bob generate SRTP session key. | 343 | | 344 | F8 Confirm1 (HMAC, D,A,V,E flags, sig) | 345 |-------------------------------------------------->| 346 | Confirm2 (HMAC, D,A,V,E flags, sig) F9 | 347 |<--------------------------------------------------| 348 | F10 Conf2ACK | 349 |-------------------------------------------------->| 350 | SRTP begins | 351 |<=================================================>| 352 | | 354 Figure 1: Establishment of an SRTP session using ZRTP 356 ZRTP authentication uses a Short Authentication String (SAS) which is 357 ideally displayed for the human user. Alternatively, the SAS can be 358 authenticated by exchanging an OPTIONAL digital signature (sig) over 359 the short authentication string in the Confirm1 or Confirm2 messages 360 (described in Section 7.2). 362 The ZRTP Confirm1 and Confirm2 messages are sent for a number of 363 reasons, not the least of which is they confirm that all the key 364 agreement calculations were successful and thus the encryption will 365 work. They also carry other information such as the Disclosure flag 366 (D), the Allow Clear flag (A), the SAS Verified flag (V), and the PBX 367 Enrollment flag (E). All flags are encrypted to shield them from a 368 passive observer. 370 3.1.2. Preshared Mode Overview 372 In the Preshared Mode, endpoints can skip the DH calculation if they 373 have a shared secret from a previous ZRTP session. Preshared mode is 374 indicated in the Commit message and results in the same call flow as 375 Multistream mode. The principal difference between Multistream mode 376 and Preshared mode is that Preshared mode uses a previously cached 377 shared secret, rs1, instead of an active ZRTP Session key as the 378 initial keying material. 380 This mode could be useful for slow processor endpoints so that a DH 381 calculation does not need to be performed every session. Or, this 382 mode could be used to rapidly re-establish an earlier session that 383 was recently torn down or interrupted without the need to perform 384 another DH calculation. 386 Preshared mode has forward secrecy properties. If a phone's cache is 387 captured by an opponent, the cached shared secrets cannot be used to 388 recover earlier encrypted calls, because the shared secrets are 389 replaced with new ones in each new call, as in DH mode. However, the 390 captured secrets can be used by a passive wiretapper in the media 391 path to decrypt the next call, if the next call is in Preshared mode. 392 This differs from DH mode, which requires an active MiTM wiretapper 393 to exploit captured secrets in the next call. However, if the next 394 call is missed by the wiretapper, he cannot wiretap any further 395 calls. It thus preserves most of the self-healing properties 396 (Section 15.1) of key continuity enjoyed by DH mode. 398 3.1.3. Multistream Mode Overview 400 Multistream mode is an alternative key agreement method when two 401 endpoints have an established SRTP media stream between them and 402 hence an active ZRTP Session key. ZRTP can derive multiple SRTP keys 403 from a single DH exchange. For example, an established secure voice 404 call that adds a video stream uses Multistream mode to quickly 405 initiate the video stream without a second DH exchange. 407 When Multistream mode is indicated in the Commit message, a call flow 408 similar to Figure 1 is used, but no DH calculation is performed by 409 either endpoint and the DHPart1 and DHPart2 messages are omitted. 410 The Confirm1, Confirm2, and Conf2ACK messages are still sent. Since 411 the cache is not affected during this mode, multiple Multistream ZRTP 412 exchanges can be performed in parallel between two endpoints. 414 When adding additional media streams to an existing call, only 415 Multistream mode is used. Only one DH operation is performed, just 416 for the first media stream. 418 4. Protocol Description 420 This section begins the normative description of the protocol. 422 ZRTP MUST be multiplexed on the same ports as the RTP media packets. 424 To support best effort encryption from the Media Security 425 Requirements [RFC5479], ZRTP uses normal RTP/AVP profile (AVP) media 426 lines in the initial offer/answer exchange. The ZRTP SDP attribute 427 a=zrtp-hash defined in Section 8 SHOULD be used in all offers and 428 answers to indicate support for the ZRTP protocol. 430 ZRTP can be utilized by endpoints that do not have a common 431 signaling protocol but both support SRTP and are relying on a 432 gateway for conversion. As such, it is not always possible for 433 the signaling protocol to relay the zrtp-hash as can be done using 434 SIP. 436 The Secure RTP/AVP (SAVP) profile MAY be used in subsequent offer/ 437 answer exchanges after a successful ZRTP exchange has resulted in an 438 SRTP session, or if it is known the other endpoint supports this 439 profile. 441 The use of the RTP/SAVP profile has caused failures in negotiating 442 best effort SRTP due to the limitations on negotiating profiles 443 using SDP. This is why ZRTP supports the RTP/AVP profile and 444 includes its own discovery mechanisms. 446 In all key agreement modes, the initiator SHOULD NOT send RTP media 447 after sending the Commit message, and MUST NOT send SRTP media before 448 receiving either the Conf2ACK or the first SRTP media (with a valid 449 SRTP auth tag) from the responder. The responder SHOULD NOT send RTP 450 media after receiving the Commit message, and MUST NOT send SRTP 451 media before receiving the Confirm2 message. 453 4.1. Discovery 455 During the ZRTP discovery phase, a ZRTP endpoint discovers if the 456 other endpoint supports ZRTP and the supported algorithms and 457 options. This information is transported in a Hello message, 458 described in Section 5.2. 460 ZRTP endpoints SHOULD include the SDP attribute a=zrtp-hash in offers 461 and answers, as defined in Section 8. ZRTP SHOULD use an RTP 462 [RFC3550] extension field as a flag to indicate support for the ZRTP 463 protocol in RTP packets as described in Section 12. 465 The Hello message includes the ZRTP version, hash type, cipher type, 466 authentication method and tag length, key agreement type, and Short 467 Authentication String (SAS) algorithms that are supported. The Hello 468 message also includes a hash image as described in Section 9. In 469 addition, each endpoint sends and discovers ZIDs. The received ZID 470 is used later in the protocol as an index into a cache of shared 471 secrets that were previously negotiated and retained between the two 472 parties. 474 A Hello message can be sent at any time, but is usually sent at the 475 start of an RTP session to determine if the other endpoint supports 476 ZRTP, and also if the SRTP implementations are compatible. A Hello 477 message is retransmitted using timer T1 and an exponential backoff 478 mechanism detailed in Section 6 until the receipt of a HelloACK 479 message or a Commit message. 481 The use of the a=zrtp-hash SDP attribute to authenticate the Hello 482 message is described in Section 8.1. 484 4.1.1. Protocol Version Negotiation 486 This specification defines ZRTP version 1.10. Since new versions of 487 ZRTP may be developed in the future, this specification defines a 488 protocol version negotiation in this section. 490 Each party declares what version of the ZRTP protocol they support 491 via the version field in the Hello message (Section 5.2). If both 492 parties have the same version number in their Hello messages, they 493 can proceed with the rest of the protocol. To facilitate both 494 parties reaching this state of protocol version agreement in their 495 Hello messages, ZRTP should use information provided in the signaling 496 layer, if available. If a ZRTP endpoint supports more than one 497 version of the protocol, it SHOULD declare them all in a list of SIP 498 SDP a=zrtp-hash attributes (defined in Section 8), listing separate 499 hashes, with separate ZRTP version numbers in each item in the list. 501 Both parties should inspect the list of ZRTP version numbers supplied 502 by the other party in the SIP SDP a=zrtp-hash attributes. Both 503 parties should choose the highest version number that appear in both 504 parties' list of a=zrtp-hash version numbers, and use that version 505 for their Hello messages. If both parties use the SIP signaling in 506 this manner, their initial Hello messages will have the same ZRTP 507 version number, provided they both have at least one supported 508 protocol version in common. Before the ZRTP key agreement can 509 proceed, an endpoint MUST have sent and received Hellos with the same 510 protocol version. 512 It is best if the signaling layer is used to negotiate the protocol 513 version number. However, the a=zrtp-hash SDP attribute is not always 514 present in the SIP packet, as explained in Section 8.1. In the 515 absence of any guidance from the signaling layer, an endpoint MUST 516 send the highest supported version in initial Hello messages. If the 517 two parties send different protocol version numbers in their Hello 518 messages, they can reach agreement to use a common version, if one 519 exists. They iteratively apply the following rules until they both 520 have matching version fields in their Hello messages and the key 521 agreement can proceed: 523 o If an endpoint receives a Hello message with an unsupported 524 version number that is higher than the endpoint's current Hello 525 message version, the received Hello message MUST be ignored. The 526 endpoint continues to retransmit Hello messages on the standard 527 retry schedule (Section 6). 528 o If an endpoint receives a Hello message with a version number that 529 is lower than the endpoint's current Hello message, and the 530 endpoint supports a version that is less than or equal to the 531 received version number, the endpoint MUST stop retransmitting the 532 old version number and MUST start sending a Hello message with the 533 highest supported version number that is less than or equal to the 534 received version number. 535 o If an endpoint receives a Hello message with an unsupported 536 version number that is lower than the endpoint's current Hello 537 message, the endpoint MUST send an Error message (Section 5.9) 538 indicating failure to support this ZRTP version. 540 The above comparisons are iterated until the version numbers match, 541 or until it exits on a failure to match. 543 For example, assume that Alice supports protocol version 1.10 and 544 2.00, and Bob supports version 1.10 and 1.20. Alice initially 545 sends a Hello with version 2.00, and Bob initially sends a Hello 546 with version 1.20. Bob ignores Alice's 2.00 Hello and continues 547 to send his 1.20 Hello. Alice detects that Bob does not support 548 2.00 and she stops sending her 2.00 Hellos and starts sending a 549 stream of 1.10 Hellos. Bob sees the 1.10 Hello from Alice and 550 stops sending his 1.20 Hellos and switches to sending 1.10 Hellos. 551 At that point, they have converged on using version 1.10 and the 552 protocol proceeds on that basis. 554 When comparing protocol versions, a ZRTP endpoint MUST include only 555 the first three octets of the version field in the comparison. The 556 final octet is ignored, because it is not significant for 557 interoperability. For example, "1.1 ", "1.10", "1.11", or "1.1a" are 558 all regarded as a version match, because they would all be 559 interoperable versions. 561 Changes in protocol version numbers are expected be infrequent after 562 version 1.10. Supporting multiple versions adds code complexity and 563 may introduce security weaknesses in the implementation. The old 564 adage about keeping it simple applies especially to implementing 565 security protocols. Endpoints SHOULD NOT support protocol versions 566 earlier than version 1.10. 568 4.1.2. Algorithm Negotiation 570 A method is provided to allow the two parties to mutually and 571 deterministically choose the same DH key size and algorithm before a 572 Commit message is sent. 574 Each Hello message lists the algorithms in the order of preference 575 for that ZRTP endpoint. Endpoints eliminate the non-intersecting 576 choices from each of their own lists, resulting in each endpoint 577 having a list of algorithms in common that might or might not be 578 ordered the same as the other endpoint's list. Each endpoint 579 compares the first item on their own list with the first item on the 580 other endpoint's list, and SHOULD choose the faster of the two 581 algorithms. For example: 583 o Alice's full list: DH2K, DH3K, EC25 584 o Bob's full list: EC38, EC25, DH3K 585 o Alice's intersecting list: DH3K, EC25 586 o Bob's intersecting list: EC25, DH3K 587 o Alice's first preference is DH3K, and Bob's first preference is 588 EC25. 589 o Thus, both parties choose EC25 (ECDH-256), because it's faster. 591 To decide which DH algorithm is faster, the following ranking is 592 defined: DH2K, EC25, DH3K, EC38, EC52. These are all drawn from 593 Table 5. 595 If both endpoints follow this method, they may each start their DH 596 calculations as soon as they receive the Hello message, and there 597 will be no need for either endpoint to discard their DH calculation 598 if the other endpoint becomes the initiator. 600 This method is used only to negotiate DH key size. For the rest of 601 the algorithm choices, it's simply whatever the initiator selects 602 from the algorithms in common. Note that the DH key size influences 603 the hash type and the size of the symmetric cipher key, as explained 604 in Section 5.1.5. 606 Unfavorable choices will never be made by this method, because each 607 endpoint will omit from their respective lists choices that are too 608 slow or not secure enough to meet their security policy. 610 4.2. Commit Contention 612 After both parties have received compatible Hello messages, a Commit 613 message (Section 5.4) can be sent to begin the ZRTP key exchange. 614 The endpoint that sends the Commit is known as the initiator, while 615 the receiver of the Commit is known as the responder. 617 If both sides send Commit messages initiating a secure session at the 618 same time the following rules are used to break the tie: 620 o If one Commit is for a DH mode while the other is for Preshared 621 mode, then the Preshared Commit MUST be discarded and the DH 622 Commit proceeds. 623 o If the two Commits are both Preshared mode, and one party has set 624 the MiTM (M) flag in the Hello message and the other has not, the 625 Commit message from the party who set the (M) flag MUST be 626 discarded, and the one who has not set the (M) flag becomes the 627 initiator, regardless of the nonce values. In other words, for 628 Preshared mode, the phone is the initiator and the PBX is the 629 responder. 630 o If the two Commits are either both DH modes or both non-DH modes, 631 then the Commit message with the lowest hvi (hash value of 632 initiator) value (for DH Commits), or lowest nonce value (for 633 non-DH Commits), MUST be discarded and the other side is the 634 initiator, and the protocol proceeds with the initiator's Commit. 635 The two hvi or nonce values are compared as large unsigned 636 integers in network byte order. 638 If one Commit is for Multistream mode while the other is for non- 639 Multistream (DH or Preshared) mode, a software error has occurred and 640 the ZRTP negotiation should be terminated. This should never occur 641 because of the constraints on Multistream mode described in 642 Section 4.4.3. 644 In the event that Commit messages are sent by both ZRTP endpoints at 645 the same time, but are received in different media streams, the same 646 resolution rules apply as if they were received on the same stream. 647 The media stream in which the Commit was received or sent will 648 proceed through the ZRTP exchange while the media stream with the 649 discarded Commit must wait for the completion of the other ZRTP 650 exchange. 652 If a commit contention forces a DH Commit message to be discarded, 653 the responder's DH public value should only be discarded if it does 654 not match the initiator's DH key size. 656 4.3. Matching Shared Secret Determination 658 The following sections describe how ZRTP endpoints generate and/or 659 use the set of shared secrets s1, auxsecret, and pbxsecret through 660 the exchange of the DHPart1 and DHPart2 messages. This doesn't cover 661 the Diffie-Hellman calculations. It only covers the method whereby 662 the two parties determine if they already have shared secrets in 663 common in their caches. 665 Each ZRTP endpoint maintains a long-term cache of shared secrets that 666 it has previously negotiated with the other party. The ZID of the 667 other party, received in the other party's Hello message, is used as 668 an index into this cache to find the set of shared secrets, if any 669 exist. This cache entry may contain previously retained shared 670 secrets, rs1 and rs2, which give ZRTP its key continuity features. 671 If the other party is a PBX, the cache may also contain a trusted 672 MiTM PBX shared secret, called pbxsecret, defined in Section 7.3.1. 674 The DHPart1 and DHPart2 messages contain a list of hashes of these 675 shared secrets to allow the two endpoints to compare the hashes with 676 what they have in their caches to detect whether the two sides share 677 any secrets that can be used in the calculation of the session key. 678 The use of this shared secret cache is described in Section 4.9. 680 If no secret of a given type is available, a random value is 681 generated and used for that secret to ensure a mismatch in the hash 682 comparisons in the DHPart1 and DHPart2 messages. This prevents an 683 eavesdropper from knowing which types of shared secrets are available 684 between the endpoints. 686 Section 4.3.1 refers to the auxiliary shared secret auxsecret. The 687 auxsecret shared secret may be defined by the VoIP user agent out-of- 688 band from the ZRTP protocol. In some cases it may be provided by the 689 signaling layer as srtps, which is defined in Section 8.2. If it is 690 not provided by the signaling layer, the auxsecret shared secret may 691 be manually provisioned in other application-specific ways that are 692 out-of-band, such as computed from a hashed pass phrase by prior 693 agreement between the two parties. Or it may be a family key used by 694 an institution that the two parties both belong to. It is a 695 generalized mechanism for providing a shared secret that is agreed to 696 between the two parties out of scope of the ZRTP protocol. It is 697 expected that most typical ZRTP endpoints will rarely use auxsecret. 699 For both the initiator and the responder, the shared secrets s1, s2, 700 and s3 will be calculated so that they can all be used later to 701 calculate s0 in Section 4.4.1.4. Here is how s1, s2, and s3 are 702 calculated by both parties: 704 The shared secret s1 will be either the initiator's rs1 or the 705 initiator's rs2, depending on which of them can be found in the 706 responder's cache. If the initiator's rs1 matches the responder's 707 rs1 or rs2, then s1 MUST be set to the initiator's rs1. If and only 708 if that match fails, then if the initiator's rs2 matches the 709 responder's rs1 or rs2, then s1 MUST be set to the initiator's rs2. 710 If that match also fails, then s1 MUST be set to null. The 711 complexity of the s1 calculation is to recover from any loss of cache 712 sync from an earlier aborted session, due to the Two Generals' 713 Problem [Byzantine]. 715 The shared secret s2 MUST be set to the value of auxsecret if and 716 only if both parties have matching values for auxsecret, as 717 determined by comparing the hashes of auxsecret sent in the DH 718 messages. If they don't match, s2 MUST be set to null. 720 The shared secret s3 MUST be set to the value of pbxsecret if and 721 only if both parties have matching values for pbxsecret, as 722 determined by comparing the hashes of pbxsecret sent in the DH 723 messages. If they don't match, s3 MUST be set to null. 725 If s1, s2, or s3 have null values, they are assumed to have a zero 726 length for the purposes of hashing them later during the s0 727 calculation in Section 4.4.1.4. 729 The comparison of hashes of rs1, rs2, auxsecret, and pbxsecret is 730 described below in Section 4.3.1. 732 4.3.1. Calculation and comparison of hashes of shared secrets 734 Both parties calculate a set of keyed hashes (HMACs) of shared 735 secrets that may be present in each of their caches. These hashes 736 are truncated to the leftmost 64 bits: 738 rs1IDr = HMAC(rs1, "Responder") 739 rs2IDr = HMAC(rs2, "Responder") 740 auxsecretIDr = HMAC(auxsecret, "Responder") 741 pbxsecretIDr = HMAC(pbxsecret, "Responder") 742 rs1IDi = HMAC(rs1, "Initiator") 743 rs2IDi = HMAC(rs2, "Initiator") 744 auxsecretIDi = HMAC(auxsecret, "Initiator") 745 pbxsecretIDi = HMAC(pbxsecret, "Initiator") 747 The responder sends rs1IDr, rs2IDr, auxsecretIDr, and pbxsecretIDr in 748 the DHPart1 message. The initiator sends rs1IDi, rs2IDi, 749 auxsecretIDi, and pbxsecretIDi in the DHPart2 message. 751 The responder uses the locally computed rs1IDi, rs2IDi, auxsecretIDi, 752 and pbxsecretIDi to compare against the corresponding fields in the 753 received DHPart2 message. The initiator uses the locally computed 754 rs1IDr, rs2IDr, auxsecretIDr, and pbxsecretIDr to compare against the 755 corresponding fields in the received DHPart1 message. 757 From these comparisons, s1, s2, and s3 are calculated per the methods 758 described above in Section 4.3. The secrets corresponding to 759 matching HMACs are kept while the secrets corresponding to the non- 760 matching ones are replaced with a null, which is assumed to have a 761 zero length for the purposes of hashing them later. The resulting 762 s1, s2, and s3 values are used later to calculate s0 in 763 Section 4.4.1.4. 765 For example, consider two ZRTP endpoints who share secrets rs1 and 766 pbxsecret (defined in Section 7.3.1). During the comparison, rs1ID 767 and pbxsecretID will match but auxsecretID will not. As a result, s1 768 = rs1, s2 will be null, and s3 = pbxsecret. 770 4.3.2. Handling a Shared Secret Cache Mismatch 772 A shared secret cache mismatch is defined to mean that we expected a 773 cache match because rs1 exists in our local cache, but we computed a 774 null value for s1 (per the method described in Section 4.3). 776 If one party has a cached shared secret and the other party does not, 777 this indicates one of two possible situations. Either there is a 778 man-in-the-middle (MiTM) attack, or one of the legitimate parties has 779 lost their cached shared secret by some mishap. Perhaps they 780 inadvertently deleted their cache, or their cache was lost or 781 disrupted due to restoring their disk from an earlier backup copy. 782 The party that has the surviving cache entry can easily detect that a 783 cache mismatch has occurred, because they expect their own cached 784 secret to match the other party's cached secret, but it does not 785 match. It is possible for both parties to detect this condition if 786 both parties have surviving cached secrets that have fallen out of 787 sync, due perhaps to one party restoring from a disk backup. 789 If either party discovers a cache mismatch, the user agent who makes 790 this discovery must treat this as a possible security event and MUST 791 alert their own user that there is a heightened risk of a MiTM 792 attack, and that the user should verbally compare the SAS with the 793 other party to ascertain that no MiTM attack has occurred. If a 794 cache mismatch is detected and it is not possible to compare the SAS, 795 either because the user interface does not support it or because one 796 or both endpoints are unmanned devices, and no other SAS comparison 797 mechanism is available, the session MAY be terminated. 799 The session need not be terminated on a cache mismatch event if: 801 o the mechanism described in Section 8.1.1 is available, which 802 allows authentication of the DH exchange without human assistance, 803 or 804 o any mechanism is available to determine if the SAS matches. This 805 would require either circumstances that allow human verbal 806 comparisons of the SAS, or by using the OPTIONAL digital signature 807 feature on the SAS hash, as described in Section 7.2. 809 Even if the user interface does not permit an SAS comparison, the 810 human user MUST be warned, and may elect to proceed with the call at 811 their own risk. 813 If and only if a cache mismatch event occurs, the cache update 814 mechanism in Section 4.6.1 is affected, requiring the user to verify 815 the SAS before the cache is updated. The user will thus be alerted 816 of this security condition on every call until the SAS is verified. 817 This is described in Section 4.6.1.1. 819 Here is a non-normative example of a cache-mismatch alert message 820 from a ZRTP user agent (specifically, Zfone [zfone]), designed for a 821 desktop PC graphical user interface environment. It is by no means 822 required that the alert be this detailed: 824 "We expected the other party to have a shared secret cached from a 825 previous call, but they don't have it. This may mean your partner 826 simply lost his cache of shared secrets, but it could also mean 827 someone is trying to wiretap you. To resolve this question you 828 must check the authentication string with your partner. If it 829 doesn't match, it indicates the presence of a wiretapper." 830 If the alert is rendered by a robot voice instead of a GUI, 831 brevity may be more important: "Something's wrong. You must check 832 the authentication string with your partner. If it doesn't match, 833 it indicates the presence of a wiretapper." 835 4.4. DH and non-DH key agreements 837 The next step is the generation of a secret for deriving SRTP keying 838 material. ZRTP uses Diffie-Hellman and two non-Diffie-Hellman modes, 839 described in the following sections. 841 4.4.1. Diffie-Hellman Mode 843 The purpose of the Diffie-Hellman (either Finite Field Diffie-Hellman 844 or Elliptic Curve Diffie-Hellman) exchange is for the two ZRTP 845 endpoints to generate a new shared secret, s0. In addition, the 846 endpoints discover if they have any cached or previously stored 847 shared secrets in common, and uses them as part of the calculation of 848 the session keys. 850 Because the DH exchange affects the state of the retained shared 851 secret cache, only one in-process ZRTP DH exchange may occur at a 852 time between two ZRTP endpoints. Otherwise, race conditions and 853 cache integrity problems will result. When multiple media streams 854 are established in parallel between the same pair of ZRTP endpoints 855 (determined by the ZIDs in the Hello Messages), only one can be 856 processed. Once that exchange completes with Confirm2 and Conf2ACK 857 messages, another ZRTP DH exchange can begin. This constraint does 858 not apply when Multistream mode key agreement is used since the 859 cached shared secrets are not affected. 861 4.4.1.1. Hash Commitment in Diffie-Hellman Mode 863 From the intersection of the algorithms in the sent and received 864 Hello messages, the initiator chooses a hash, cipher, auth tag, key 865 agreement type, and SAS type to be used. 867 A Diffie-Hellman mode is selected by setting the Key Agreement Type 868 to one of the DH or ECDH values in Table 5 in the Commit. In this 869 mode, the key agreement begins with the initiator choosing a fresh 870 random Diffie-Hellman (DH) secret value (svi) based on the chosen key 871 agreement type value, and computing the public value. (Note that to 872 speed up processing, this computation can be done in advance.) For 873 guidance on generating random numbers, see Section 4.8. The value 874 for the DH generator g, the DH prime p, and the length of the DH 875 secret value, svi, are defined in Section 5.1.5. 877 pvi = g^svi mod p 879 where g and p are determined by the key agreement type value. The 880 pvi value is formatted as a big-endian octet string, fixed to the 881 width of the DH prime, and leading zeros MUST NOT be truncated. 883 The hash commitment is performed by the initiator of the ZRTP 884 exchange. The hash value of the initiator, hvi, includes a hash of 885 the entire DHPart2 message as shown in Figure 9 (which includes the 886 Diffie-Hellman public value, pvi), and the responder's Hello message 887 (where '||' means concatenation). The hvi hash is truncated to 256 888 bits: 890 hvi = hash(initiator's DHPart2 message || responder's Hello 891 message) 893 Note that the Hello message includes the fields shown in Figure 3. 895 The information from the responder's Hello message is included in the 896 hash calculation to prevent a bid-down attack by modification of the 897 responder's Hello message. 899 The initiator sends hvi in the Commit message. 901 The use of hash commitment in the DH exchange constrains the attacker 902 to only one guess to generate the correct short authentication string 903 (SAS) (Section 7) in his attack, which means the SAS can be quite 904 short. A 16-bit SAS, for example, provides the attacker only one 905 chance out of 65536 of not being detected. 907 4.4.1.2. Responder Behavior in Diffie-Hellman Mode 909 Upon receipt of the Commit message, the responder generates its own 910 fresh random DH secret value, svr, and computes the public value. 911 (Note that to speed up processing, this computation can be done in 912 advance.) For guidance on random number generation, see Section 4.8. 913 The value for the DH generator g, the DH prime p, and the length of 914 the DH secret value, svr, are defined in Section 5.1.5. 916 pvr = g^svr mod p 918 The pvr value is formatted as a big-endian octet string, fixed to the 919 width of the DH prime, and leading zeros MUST NOT be truncated. 921 Upon receipt of the DHPart2 message, the responder checks that the 922 initiator's public DH value is not equal to 1 or p-1. An attacker 923 might inject a false DHPart2 message with a value of 1 or p-1 for 924 g^svi mod p, which would cause a disastrously weak final DH result to 925 be computed. If pvi is 1 or p-1, the user should be alerted of the 926 attack and the protocol exchange MUST be terminated. Otherwise, the 927 responder computes its own value for the hash commitment using the 928 public DH value (pvi) received in the DHPart2 message and its Hello 929 message and compares the result with the hvi received in the Commit 930 message. If they are different, a MiTM attack is taking place and 931 the user is alerted and the protocol exchange terminated. 933 The responder then calculates the Diffie-Hellman result: 935 DHResult = pvi^svr mod p 937 4.4.1.3. Initiator Behavior in Diffie-Hellman Mode 939 Upon receipt of the DHPart1 message, the initiator checks that the 940 responder's public DH value is not equal to 1 or p-1. An attacker 941 might inject a false DHPart1 message with a value of 1 or p-1 for 942 g^svr mod p, which would cause a disastrously weak final DH result to 943 be computed. If pvr is 1 or p-1, the user should be alerted of the 944 attack and the protocol exchange MUST be terminated. 946 The initiator then sends a DHPart2 message containing the initiator's 947 public DH value and the set of calculated shared secret IDs as 948 defined in Section 4.3.1. 950 The initiator calculates the same Diffie-Hellman result using: 952 DHResult = pvr^svi mod p 954 4.4.1.4. Shared Secret Calculation for DH Mode 956 A hash of the received and sent ZRTP messages in the current ZRTP 957 exchange in the following order is calculated by both parties: 959 total_hash = hash(Hello of responder || Commit || DHPart1 || 960 DHPart2) 962 Note that only the ZRTP messages (Figure 3, Figure 5, Figure 8, and 963 Figure 9), not the entire ZRTP packets, are included in the 964 total_hash. 966 For both the initiator and responder, the DHResult is formatted as a 967 big-endian octet string, fixed to the width of the DH prime, and 968 leading zeros MUST NOT be truncated. For example, for a 3072-bit p, 969 DHResult would be a 384 octet value, with the first octet the most 970 significant. DHResult may also be the result of an ECDH calculation, 971 which is discussed in Section 5.1.5. 973 Key | Size of 974 Agreement | DHResult 975 ------------------------ 976 DH-3072 | 384 octets 977 ------------------------ 978 DH-2048 | 256 octets 979 ------------------------ 980 ECDH P-256 | 32 octets 981 ------------------------ 982 ECDH P-384 | 48 octets 983 ------------------------ 984 The calculation of the final shared secret, s0, is in compliance with 985 the recommendations in sections 5.8.1 and 6.1.2.1 of NIST SP 800-56A 986 [SP800-56A]. This is done by hashing a concatenation of a number of 987 items, including the DHResult, the ZID's of the initiator (ZIDi) and 988 the responder (ZIDr), the total_hash, and the set of non-null shared 989 secrets as described in Section 4.3. 991 In section 5.8.1 of NIST SP 800-56A [SP800-56A], NIST requires 992 certain parameters to be hashed together in a particular order, which 993 NIST refers to as: Z, AlgorithmID, PartyUInfo, PartyVInfo, 994 SuppPubInfo, and SuppPrivInfo. In our implementation, our DHResult 995 corresponds to Z, "ZRTP-HMAC-KDF" corresponds to AlgorithmID, our 996 ZIDi and ZIDr correspond to PartyUInfo and PartyVInfo, our total_hash 997 corresponds to SuppPubInfo, and the set of three shared secrets s1, 998 s2, and s3 corresponds to SuppPrivInfo. NIST also requires a 32-bit 999 big-endian integer counter to be included in the hash each time the 1000 hash is computed, which we have set to the fixed value of 1, because 1001 we only compute the hash once. NIST refers to the final hash output 1002 as DerivedKeyingMaterial, which corresponds to our s0 in this 1003 calculation. 1005 s0 = hash(counter || DHResult || "ZRTP-HMAC-KDF" || ZIDi || ZIDr 1006 || total_hash || len(s1) || s1 || len(s2) || s2 || len(s3) || s3) 1008 Note that temporary values s1, s2, and s3 were calculated per the 1009 methods described above in Section 4.3. DHResult, s1, s2, and s3 1010 MUST all be erased from memory immediately after they are used to 1011 calculate s0. 1013 The length of the DHResult field was implicitly agreed to by the 1014 negotiated DH prime size. The length of total_hash is implicitly 1015 determined by the negotiated hash algorithm. All of the explicit 1016 length fields, len(), in the above hash are 32-bit big-endian 1017 integers, giving the length in octets of the field that follows. 1018 Some members of the set of shared secrets (s1, s2, and s3) may have 1019 lengths of zero if they are null (not shared), and are each preceded 1020 by a 4-octet length field. For example, if s2 is null, len(s2) is 1021 0x00000000, and s2 itself would be absent from the hash calculation, 1022 which means len(s3) would immediately follow len(s2). While 1023 inclusion of ZIDi and ZIDr may be redundant, because they are 1024 implicitly included in the total_hash, we explicitly include them 1025 here to follow NIST SP 800-56A. The fixed-length string "ZRTP-HMAC- 1026 KDF" (not null-terminated) identifies what purpose the resulting s0 1027 will be used for, which is to serve as the key derivation key for the 1028 ZRTP HMAC-based key derivation function (KDF) defined in 1029 Section 4.5.1 and used in Section 4.5.3. 1031 ZRTP DH mode is in full compliance with two relevant NIST documents 1032 that cover key derivations. First, section 5.8.1 of NIST SP 800-56A 1033 [SP800-56A] computes what NIST refers to as DerivedKeyingMaterial, 1034 which ZRTP refers to as s0. This s0 then serves as the key 1035 derivation key, which NIST refers to as KI in the key derivation 1036 function described in sections 5 and 5.1 of NIST SP 800-108 1037 [SP800-108], to derive all the rest of the subkeys needed by ZRTP. 1038 For ECDH mode, the s0 calculation is also in compliance with section 1039 3.1 of NSA's Suite B Implementer's Guide to NIST SP 800-56A 1040 [NSA-Suite-B-Guide-56A]. 1042 The ZRTP key derivation function (KDF) (Section 4.5.1) requires the 1043 use of a KDF Context field (per NIST SP 800-108 [SP800-108] 1044 guidelines) which should include the ZIDi, ZIDr, and a nonce value 1045 known to both parties. The total_hash qualifies as a nonce value, 1046 because its computation included nonce material from the initiator's 1047 Commit message and the responder's Hello message. 1049 KDF_Context = (ZIDi || ZIDr || total_hash) 1051 At this point in DH mode, the two endpoints proceed to the key 1052 derivations of ZRTPSess and the rest of the keys in Section 4.5.2, 1053 now that there is a defined s0. 1055 4.4.2. Preshared Mode 1057 The Preshared key agreement mode can be used to generate SRTP keys 1058 and salts without a DH calculation, instead relying on a shared 1059 secret from previous DH calculations between the endpoints. 1061 This key agreement mode is useful to rapidly re-establish a secure 1062 session between two parties who have recently started and ended a 1063 secure session that has already performed a DH key agreement, without 1064 performing another lengthy DH calculation, which may be desirable on 1065 slow processors in resource-limited environments. Preshared mode 1066 MUST NOT be used for adding additional media streams to an existing 1067 call. Multistream mode MUST be used for this purpose. 1069 In the most severe resource-limited environments, Preshared mode may 1070 be useful with processors that cannot perform a DH calculation in an 1071 ergonomically acceptable time limit. Shared key material may be 1072 manually provisioned between two such endpoints in advance and still 1073 allow a limited subset of functionality. Such a "better than 1074 nothing" implementation would have to be regarded as non-compliant 1075 with the ZRTP specification, but it could interoperate in Preshared 1076 (and if applicable, Multistream) mode with a compliant ZRTP endpoint. 1078 Because Preshared mode affects the state of the retained shared 1079 secret cache, only one in-process ZRTP Preshared exchange may occur 1080 at a time between two ZRTP endpoints. This rule is explained in more 1081 detail in Section 4.4.1, and applies for the same reasons as in DH 1082 mode. 1084 Preshared mode is only included in this specification to meet the 1085 R-REUSE requirement in the Media Security Requirements [RFC5479] 1086 document. A series of preshared-keyed calls between two ZRTP 1087 endpoints should use a DH key exchange periodically. Preshared mode 1088 is only used if a cached shared secret has been established in an 1089 earlier session by a DH exchange, as discussed in Section 4.9. 1091 4.4.2.1. Commitment in Preshared Mode 1093 Preshared mode is selected by setting the Key Agreement Type to 1094 Preshared in the Commit message. This results in the same call flow 1095 as Multistream mode. The principal difference between Multistream 1096 mode and Preshared mode is that Preshared mode uses a previously 1097 cached shared secret, rs1, instead of an active ZRTP Session key, 1098 ZRTPSess, as the initial keying material. 1100 Preshared mode depends on having a reliable shared secret in its 1101 cache. Before Preshared mode is used, the initial DH exchange that 1102 gave rise to the shared secret SHOULD have used at least one of these 1103 anti-MiTM mechanisms: 1) A verbal comparison of the SAS, evidenced by 1104 the SAS Verified flag, or 2) an end-to-end integrity-protected 1105 delivery of the a=zrtp-hash in the signaling (Section 8.1.1), or 3) a 1106 digital signature on the sashash (Section 7.2). 1108 4.4.2.2. Initiator Behavior in Preshared Mode 1110 The Commit message (Figure 7) is sent by the initiator of the ZRTP 1111 exchange. From the intersection of the algorithms in the sent and 1112 received Hello messages, the initiator chooses a hash, cipher, auth 1113 tag, key agreement type, and SAS type to be used. 1115 To assemble a Preshared commit, we must first construct a temporary 1116 preshared_key, which is constructed from one of several possible 1117 combinations of cached key material, depending on what is available 1118 in the shared secret cache. If rs1 is not available in the 1119 initiator's cache, then Preshared mode MUST NOT be used. 1121 preshared_key = hash(len(rs1) || rs1 || len(auxsecret) || 1122 auxsecret || len(pbxsecret) || pbxsecret) 1124 All of the explicit length fields, len(), in the above hash are 32- 1125 bit big-endian integers, giving the length in octets of the field 1126 that follows. Some members of the set of shared secrets (rs1, 1127 auxsecret, and pbxsecret) may have lengths of zero if they are null 1128 (not available), and are each preceded by a 4-octet length field. 1129 For example, if auxsecret is null, len(auxsecret) is 0x00000000, and 1130 auxsecret itself would be absent from the hash calculation, which 1131 means len(pbxsecret) would immediately follow len(auxsecret). 1133 In place of hvi in the Commit message, two smaller fields are 1134 inserted by the initiator: 1136 - A random nonce of length 4-words (16 octets). 1137 - A keyID = HMAC(preshared_key, "Prsh") truncated to 64 bits. 1139 Note: Since the nonce is used to calculate different SRTP key and 1140 salt pairs for each session, a duplication will result in the same 1141 key and salt being generated for the two sessions, which would 1142 have disastrous security consequences. 1144 4.4.2.3. Responder Behavior in Preshared Mode 1146 The responder uses the received keyID to search for matching key 1147 material in its cache. It does this by computing a preshared_key 1148 value and keyID value using the same formula as the initiator, 1149 depending on what is available in the responder's local cache. If 1150 the locally computed keyID does not match the received keyID in the 1151 Commit, the responder recomputes a new preshared_key and keyID from a 1152 different subset of shared keys from the cache, dropping auxsecret or 1153 pbxsecret or both from the hash calculation, until a matching 1154 preshared_key is found or it runs out of possibilities. Note that 1155 rs2 is not included in the process. 1157 If it finds the appropriate matching shared key material, it is used 1158 to derive s0 and a new ZRTPSess key, as described in the next section 1159 on Shared Secret Calculation, Section 4.4.2.4. 1161 If the responder determines that it does not have a cached shared 1162 secret from a previous DH exchange, or it fails to match the keyID 1163 hash from the initiator with any combination of its shared keys, it 1164 SHOULD respond with its own DH Commit message. This would reverse 1165 the roles and the responder would become the initiator, because the 1166 DH Commit must always "trump" the Preshared Commit message as 1167 described in Section 4.2. The key exchange would then proceeds using 1168 DH mode. However, if a severely resource-limited responder lacks the 1169 computing resources to respond in a reasonable time with a DH Commit, 1170 it MAY respond with a ZRTP Error message (Section 5.9) indicating 1171 that no shared secret is available. 1173 If both sides send Preshared Commit messages initiating a secure 1174 session at the same time, the contention is resolved and the 1175 initiator/responder roles are settled according to Section 4.2, and 1176 the protocol proceeds. 1178 In Preshared mode, both the DHPart1 and DHPart2 messages are skipped. 1179 After receiving the Commit message from the initiator, the responder 1180 sends the Confirm1 message after calculating this stream's SRTP keys, 1181 as described below. 1183 4.4.2.4. Shared Secret Calculation for Preshared Mode 1185 Preshared mode requires that the s0 and ZRTPSess keys be derived from 1186 the preshared_key, and this must be done in a way that guarantees 1187 uniqueness for each session. This is done by using nonce material 1188 from both parties: the explicit nonce in the initiator's Preshared 1189 Commit message (Figure 7) and the H3 field in the responder's Hello 1190 message (Figure 3). Thus both parties force the resulting shared 1191 secret to be unique for each session. 1193 A hash of the received and sent ZRTP messages in the current ZRTP 1194 exchange for the current media stream is calculated: 1196 total_hash = hash(Hello of responder || Commit) 1198 Note that only the ZRTP messages (Figure 3 and Figure 7), not the 1199 entire ZRTP packets, are included in the total_hash. 1201 The ZRTP key derivation function (KDF) (Section 4.5.1) requires the 1202 use of a KDF Context field (per NIST SP 800-108 [SP800-108] 1203 guidelines) which should include the ZIDi, ZIDr, and a nonce value 1204 known to both parties. The total_hash qualifies as a nonce value, 1205 because its computation included nonce material from the initiator's 1206 Commit message and the responder's Hello message. 1208 KDF_Context = (ZIDi || ZIDr || total_hash) 1210 The s0 key is derived via the ZRTP key derivation function 1211 (Section 4.5.1) from preshared_key and the nonces implicitly included 1212 in the total_hash. The nonces also ensure KDF_Context is unique for 1213 each session, which is critical for security. 1215 s0 = KDF(preshared_key, "ZRTP PSK", KDF_Context, negotiated hash 1216 length) 1218 The preshared_key MUST be erased as soon as it has been used to 1219 calculate s0. 1221 At this point in Preshared mode, the two endpoints proceed to the key 1222 derivations of ZRTPSess and the rest of the keys in Section 4.5.2, 1223 now that there is a defined s0. 1225 4.4.3. Multistream Mode 1227 The Multistream key agreement mode can be used to generate SRTP keys 1228 and salts for additional media streams established between a pair of 1229 endpoints. Multistream mode cannot be used unless there is an active 1230 SRTP session established between the endpoints which means a ZRTP 1231 Session key is active. This ZRTP Session key can be used to generate 1232 keys and salts without performing another DH calculation. In this 1233 mode, the retained shared secret cache is not used or updated. As a 1234 result, multiple ZRTP Multistream mode exchanges can be processed in 1235 parallel between two endpoints. 1237 Multistream mode is also used to resume a secure call that has gone 1238 clear using a GoClear message as described in Section 4.7.2.1. 1240 When adding additional media streams to an existing call, Multistream 1241 mode MUST be used. The first media stream MUST use either DH mode or 1242 Preshared mode. Only one DH exchange or Preshared exchange is 1243 performed, just for the first media stream. The DH exchange or 1244 Preshared exchange MUST be completed for the first media stream 1245 before Multistream mode is used to add any other media streams. In a 1246 Multistream session, a ZRTP endpoint MUST use the same ZID for all 1247 media streams, matching the ZID used in the first media stream. 1249 4.4.3.1. Commitment in Multistream Mode 1251 Multistream mode is selected by the initiator setting the Key 1252 Agreement Type to "Mult" in the Commit message (Figure 6). The 1253 Cipher Type, Auth Tag Length, and Hash in Multistream mode SHOULD be 1254 set by the initiator to the same as the values as in the initial DH 1255 Mode Commit. The SAS Type is ignored as there is no SAS 1256 authentication in this mode. 1258 Note: This requirement is needed since some endpoints cannot 1259 support different SRTP algorithms for different media streams. 1260 However, in the case of Multistream mode being used to go secure 1261 after a GoClear, the requirement to use the same SRTP algorithms 1262 is relaxed if there are no other active SRTP sessions. 1264 In place of hvi in the Commit, a random nonce of length 4-words (16 1265 octets) is chosen. Its value MUST be unique for all nonce values 1266 chosen for active ZRTP sessions between a pair of endpoints. If a 1267 Commit is received with a reused nonce value, the ZRTP exchange MUST 1268 be immediately terminated. 1270 Note: Since the nonce is used to calculate different SRTP key and 1271 salt pairs for each media stream, a duplication will result in the 1272 same key and salt being generated for the two media streams, which 1273 would have disastrous security consequences. 1275 If a Commit is received selecting Multistream mode, but the responder 1276 does not have a ZRTP Session Key available, the exchange MUST be 1277 terminated. Otherwise, the responder proceeds to the next section on 1278 Shared Secret Calculation, Section 4.4.3.2. 1280 If both sides send Multistream Commit messages at the same time, the 1281 contention is resolved and the initiator/responder roles are settled 1282 according to Section 4.2, and the protocol proceeds. 1284 In Multistream mode, both the DHPart1 and DHPart2 messages are 1285 skipped. After receiving the Commit message from the initiator, the 1286 responder sends the Confirm1 message after calculating this stream's 1287 SRTP keys, as described below. 1289 4.4.3.2. Shared Secret Calculation for Multistream Mode 1291 In Multistream mode, each media stream requires that a set of keys be 1292 derived from the ZRTPSess key, and this must be done in a way that 1293 guarantees uniqueness for each media stream. This is done by using 1294 nonce material from both parties: the explicit nonce in the 1295 initiator's Multistream Commit message (Figure 6) and the H3 field in 1296 the responder's Hello message (Figure 3). Thus both parties force 1297 the resulting shared secret to be unique for each media stream. 1299 A hash of the received and sent ZRTP messages in the current ZRTP 1300 exchange for the current media stream is calculated: 1302 total_hash = hash(Hello of responder || Commit) 1304 This refers to the Hello and Commit messages for the current media 1305 stream which is using Multistream mode, not the original media stream 1306 that included a full DH key agreement. Note that only the ZRTP 1307 messages (Figure 3 and Figure 6), not the entire ZRTP packets, are 1308 included in the hash. 1310 The ZRTP key derivation function (KDF) (Section 4.5.1) requires the 1311 use of a KDF Context field (per NIST SP 800-108 [SP800-108] 1312 guidelines) which should include the ZIDi, ZIDr, and a nonce value 1313 known to both parties. The total_hash qualifies as a nonce value, 1314 because its computation included nonce material from the initiator's 1315 Commit message and the responder's Hello message. 1317 KDF_Context = (ZIDi || ZIDr || total_hash) 1319 The current stream's SRTP keys and salts for the initiator and 1320 responder are calculated using the ZRTP Session Key ZRTPSess and the 1321 nonces implicitly included in the total_hash. The nonces also ensure 1322 KDF_Context will be unique for each media stream, which is critical 1323 for security. For each additional media stream, a separate s0 is 1324 derived from ZRTPSess via the ZRTP key derivation function 1325 (Section 4.5.1): 1327 s0 = KDF(ZRTPSess, "ZRTP MSK", KDF_Context, negotiated hash 1328 length) 1330 Note that the ZRTPSess key was previously derived from material that 1331 also includes a different and more inclusive total_hash from the 1332 entire packet sequence that performed the original DH exchange for 1333 the first media stream in this ZRTP session. 1335 At this point in Multistream mode, the two endpoints begin key 1336 derivations in Section 4.5.3. 1338 4.5. Key Derivations 1340 4.5.1. The ZRTP Key Derivation Function 1342 To derive keys from a shared secret, ZRTP uses an HMAC-based key 1343 derivation function, or KDF. It is used throughout Section 4.5.3 and 1344 in other sections. The HMAC function for the KDF is based on the 1345 negotiated hash algorithm defined in Section 5.1.2. 1347 The ZRTP KDF is in full compliance with the recommendations in NIST 1348 SP 800-108 [SP800-108]. Section 7.5 of the NIST document describes 1349 "key separation", which is a security requirement for the 1350 cryptographic keys derived from the same key derivation key. The 1351 keys shall be separate in the sense that the compromise of some 1352 derived keys will not degrade the security strength of any of the 1353 other derived keys, or the security strength of the key derivation 1354 key. Strong preimage resistance is provided. 1356 The ZRTP KDF runs the NIST pseudorandom function (PRF) in counter 1357 mode, with only a single iteration of the counter. The NIST PRF is 1358 based on the HMAC function. The ZRTP KDF never has to generate more 1359 than 256 bits (or 384 bits for Suite B applications) of output key 1360 material, so only a single invocation of the HMAC function is needed. 1362 The ZRTP KDF is defined in this manner, per sections 5 and 5.1 of 1363 NIST SP 800-108 [SP800-108]: 1365 KDF(KI, Label, Context, L) = HMAC(KI, i || Label || 0x00 || 1366 Context || L) 1368 The HMAC in the KDF is keyed by KI, which is a secret key derivation 1369 key that is unknown to the wiretapper (for example, s0). The HMAC is 1370 computed on a concatenated set of nonsecret fields that are defined 1371 as follows. The first field is a 32-bit big-endian integer counter 1372 (i) required by NIST to be included in the HMAC each time the HMAC is 1373 computed, which we have set to the fixed value of 0x000001, because 1374 we only compute the HMAC once. Label is a string of nonzero octets 1375 that identifies the purpose for the derived keying material. The 1376 octet 0x00 is a delimiter required by NIST. The NIST KDF formula has 1377 a "Context" field which includes ZIDi, ZIDr, and some optional nonce 1378 material known to both parties. L is a 32-bit big-endian positive 1379 integer, not to exceed the length in bits of the output of the HMAC. 1380 The output of the KDF is truncated to the leftmost L bits. If SHA- 1381 384 is the negotiated hash algorithm, the HMAC would be HMAC-SHA-384, 1382 thus the maximum value of L would be 384, the negotiated hash length. 1384 The ZRTP KDF is not to be confused with the SRTP KDF defined in 1385 [RFC3711]. 1387 4.5.2. Deriving ZRTPSess Key and SAS in DH or Preshared modes 1389 Both DH mode and Preshared mode (but not Multistream mode) come to 1390 this common point in the protocol to derive ZRTPSess and the SAS from 1391 s0, via the ZRTP Key Derivation Function (Section 4.5.1). At this 1392 point, s0 has been calculated, as well as KDF_Context. These 1393 calculations are done only for the first media stream, not for 1394 Multistream mode. 1396 The ZRTPSess key is used only for these two purposes: 1) to generate 1397 the additional s0 keys (Section 4.4.3.2) for adding additional media 1398 streams to this session in Multistream mode, and 2) to generate the 1399 pbxsecret (Section 7.3.1) that may be cached for use in future 1400 sessions. The ZRTPSess key is kept for the duration of the call 1401 signaling session between the two ZRTP endpoints. That is, if there 1402 are two separate calls between the endpoints (in SIP terms, separate 1403 SIP dialogs), then a ZRTP Session Key MUST NOT be used across the two 1404 call signaling sessions. ZRTPSess MUST be destroyed no later than 1405 the end of the call signaling session. 1407 ZRTPSess = KDF(s0, "ZRTP Session Key", KDF_Context, negotiated 1408 hash length) 1410 Note that KDF_Context is unique for each media stream, but only the 1411 first media stream is permitted to calculate ZRTPSess. 1413 There is only one Short Authentication String (SAS) (Section 7) 1414 computed per call, which is applicable to all media streams derived 1415 from a single DH key agreement in a ZRTP session. KDF_Context is 1416 unique for each media stream, but only the first media stream is 1417 permitted to calculate sashash. 1419 sashash = KDF(s0, "SAS", KDF_Context, 256) 1420 sasvalue = sashash [truncated to leftmost 32 bits] 1422 Despite the exposure of the SAS to the two parties, the rest of the 1423 keying material is protected by the key separation properties of the 1424 KDF (Section 4.5.1). 1426 ZRTP-enabled VoIP clients may need to support additional forms of 1427 communication, such as text chat, instant messaging, or file 1428 transfers. These other forms of communication may need to be 1429 encrypted, and would benefit from leveraging the ZRTP key exchange 1430 used for the VoIP part of the call. In that case, more key material 1431 MAY be derived and "exported" from the ZRTP protocol and provided as 1432 a shared secret to the VoIP client for these non-VoIP purposes. The 1433 application can use this exported key in application-specific ways, 1434 outside the scope of the ZRTP protocol. It can be used directly for 1435 encryption, or used to authenticate other key exchanges carried out 1436 by the application, protected by ZRTP's MiTM defense umbrella. This 1437 exported key may be used for as long as needed by the application, 1438 maintained in a separate crypto context that may outlast the VoIP 1439 session. 1441 ExportedKey = KDF(s0, "Exported key", KDF_Context, negotiated hash 1442 length) 1444 At this point in DH mode or Preshared mode, the two endpoints proceed 1445 on to the key derivations in Section 4.5.3, now that there is a 1446 defined s0 and ZRTPSess key. 1448 4.5.3. Deriving the rest of the keys from s0 1450 DH mode, Multistream mode, and Preshared mode all come to this common 1451 point in the protocol to derive a set of keys from s0. It can be 1452 assumed that s0 has been calculated, as well the ZRTPSess key and 1453 KDF_Context. A separate s0 key is associated with each media stream. 1455 Subkeys are not drawn directly from s0, as done in NIST SP 800-56A. 1456 To enhance key separation, ZRTP uses s0 to key a Key Derivation 1457 Function (Section 4.5.1) based on NIST SP 800-108 [SP800-108]. Since 1458 s0 already included total_hash in its derivation, it is redundant to 1459 use total_hash again in the KDF Context in all the invocations of the 1460 KDF keyed by s0. Nonetheless, NIST SP 800-108 always requires KDF 1461 Context to be defined for the KDF, and nonce material is required in 1462 some KDF invocations (especially for Multistream mode and Preshared 1463 mode), so total_hash is included as a nonce in the KDF Context. 1465 Separate SRTP master keys and master salts are derived for use in 1466 each direction for each media stream. Unless otherwise specified, 1467 ZRTP uses SRTP with no MKI, 32 bit authentication using HMAC-SHA1, 1468 AES-CM 128 or 256 bit key length, 112 bit session salt key length, 1469 2^48 key derivation rate, and SRTP prefix length 0. 1471 The ZRTP initiator encrypts and the ZRTP responder decrypts packets 1472 by using srtpkeyi and srtpsalti, while the ZRTP responder encrypts 1473 and the ZRTP initiator decrypts packets by using srtpkeyr and 1474 srtpsaltr. The SRTP key and salt values are truncated (taking the 1475 leftmost bits) to the length determined by the chosen SRTP profile. 1476 These are generated by: 1478 srtpkeyi = KDF(s0, "Initiator SRTP master key", KDF_Context, 1479 negotiated AES key length) 1480 srtpsalti = KDF(s0, "Initiator SRTP master salt", KDF_Context, 1481 112) 1482 srtpkeyr = KDF(s0, "Responder SRTP master key", KDF_Context, 1483 negotiated AES key length) 1484 srtpsaltr = KDF(s0, "Responder SRTP master salt", KDF_Context, 1485 112) 1487 The HMAC keys are the same length as the output of the underlying 1488 hash function in the KDF, and are thus generated without truncation. 1489 They are used only by ZRTP and not by SRTP. Different HMAC keys are 1490 needed for the initiator and the responder to ensure that GoClear 1491 messages in each direction are unique and can not be cached by an 1492 attacker and reflected back to the endpoint. 1494 hmackeyi = KDF(s0, "Initiator HMAC key", KDF_Context, negotiated 1495 hash length) 1496 hmackeyr = KDF(s0, "Responder HMAC key", KDF_Context, negotiated 1497 hash length) 1499 ZRTP keys are generated for the initiator and responder to use to 1500 encrypt the Confirm1 and Confirm2 messages. They are truncated to 1501 the same size as the negotiated SRTP key size. 1503 zrtpkeyi = KDF(s0, "Initiator ZRTP key", KDF_Context, negotiated 1504 AES key length) 1505 zrtpkeyr = KDF(s0, "Responder ZRTP key", KDF_Context, negotiated 1506 AES key length) 1508 All key material is destroyed as soon as it is no longer needed, no 1509 later than the end of the call. s0 is erased in Section 4.6.1, and 1510 the rest of the session key material is erased in Section 4.7.2.1 and 1511 Section 4.7.3. 1513 4.6. Confirmation 1515 The Confirm1 and Confirm2 messages (Figure 10) contain the cache 1516 expiration interval (defined in Section 4.9) for the newly generated 1517 retained shared secret. The flagoctet is an 8 bit unsigned integer 1518 made up of these flags: the PBX Enrollment flag (E) defined in 1519 Section 7.3.1, SAS Verified flag (V) defined in Section 7.1, Allow 1520 Clear flag (A) defined in Section 4.7.2, and Disclosure flag (D) 1521 defined in Section 11. 1523 flagoctet = (E * 2^3) + (V * 2^2) + (A * 2^1) + (D * 2^0) 1525 Part of the Confirm1 and Confirm2 messages are encrypted using full- 1526 block Cipher Feedback Mode, and contain a 128-bit random CFB 1527 Initialization Vector (IV). The Confirm1 and Confirm2 messages also 1528 contain an HMAC covering the encrypted part of the Confirm1 or 1529 Confirm2 message which includes a string of zeros, the signature 1530 length, flag octet, cache expiration interval, signature type block 1531 (if present) and signature (Section 7.2) (if present). For the 1532 responder: 1534 hmac = HMAC(hmackeyr, encrypted part of Confirm1) 1536 For the initiator: 1538 hmac = HMAC(hmackeyi, encrypted part of Confirm2) 1540 The hmackeyi and hmackeyr keys are computed in Section 4.5.3. 1542 The exchange is completed when the responder sends either the 1543 Conf2ACK message or the responder's first SRTP media packet (with a 1544 valid SRTP auth tag). The initiator MUST treat the first valid SRTP 1545 media from the responder as equivalent to receiving a Conf2ACK. The 1546 responder may respond to Confirm2 with either SRTP media or Conf2ACK, 1547 or both, in whichever order the responder chooses (or whichever order 1548 the "cloud" chooses to deliver them). 1550 4.6.1. Updating the Cache of Shared Secrets 1552 After receiving the Confirm messages, both parties must now update 1553 their retained shared secret rs1 in their respective caches, provided 1554 the following conditions hold: 1556 1) This key exchange is either DH or Preshared mode, not 1557 Multistream mode, which does not update the cache. 1558 2) Depending on the values of the cache expiration intervals that 1559 are received in the two Confirm messages, there are some scenarios 1560 that do not update the cache, as explained in Section 4.9. 1562 3) The responder MUST receive the initiator's Confirm2 message 1563 before updating the responder's cache. 1564 4) The initiator MUST receive either the responder's Conf2ACK 1565 message or the responder's SRTP media (with a valid SRTP auth tag) 1566 before updating the initiator's cache. 1568 The cache update may also be affected by a cache mismatch, according 1569 to Section 4.6.1.1. 1571 For DH mode only, before updating the retained shared secret rs1 in 1572 the cache, each party first discards their old rs2 and copies their 1573 old rs1 to rs2. The old rs1 is saved to rs2 because of the risk of 1574 session interruption after one party has updated his own rs1 but 1575 before the other party has enough information to update her own rs1. 1576 If that happens, they may regain cache sync in the next session by 1577 using rs2 (per Section 4.3). This mitigates the well-known Two 1578 Generals' Problem [Byzantine]. The old rs1 value is not saved in 1579 Preshared mode. 1581 For DH mode and Preshared mode, both parties compute a new rs1 value 1582 from s0 via the ZRTP key derivation function (Section 4.5.1): 1584 rs1 = KDF(s0, "retained secret", KDF_Context, 256) 1586 Note that KDF_Context is unique for each media stream, but only the 1587 first media stream is permitted to update rs1. 1589 Each media stream has its own s0. At this point in the protocol for 1590 each media stream, the corresponding s0 MUST be erased. 1592 4.6.1.1. Cache Update Following a Cache Mismatch 1594 If a shared secret cache mismatch (as defined in Section 4.3.2) is 1595 detected in the current session, it indicates a possible MiTM attack. 1596 However, there may be evidence to the contrary, if either one of the 1597 following conditions are met: 1599 o Successful use of the mechanism described in Section 8.1.1, but 1600 only if fully supported by end-to-end integrity-protected delivery 1601 of the a=zrtp-hash in the signaling via SIP Identity (RFC 4474) 1602 [RFC4474] or better still, Dan Wing's SIP Identity using Media 1603 Path [I-D.wing-sip-identity-media]. This allows authentication of 1604 the DH exchange without human assistance. 1605 o A good signature is received and verified using the digital 1606 signature feature on the SAS hash, as described in Section 7.2, if 1607 this feature is supported. 1609 If there is a cache mismatch in the absence of the aforementioned 1610 mitigating evidence, the cache update MUST be delayed in the current 1611 session until the user verbally compares the SAS with his partner 1612 during the call and confirms a successful SAS verify via his user 1613 interface as described in Section 7.1. If the session ends before 1614 that happens, the cache update is not performed, leaving the rs1/rs2 1615 values unmodified in the cache. Regardless of whether a cache 1616 mismatch occurs, s0 must still be erased. 1618 If no cache entry exists, as is the case in the initial call, the 1619 cache update is handled in the normal fashion. 1621 4.7. Termination 1623 A ZRTP session is normally terminated at the end of a call, but it 1624 may be terminated early by either the Error message or the GoClear 1625 message. 1627 4.7.1. Termination via Error message 1629 The Error message (Section 5.9) is used to terminate an in-progress 1630 ZRTP exchange due to an error. The Error message contains an integer 1631 Error Code for debugging purposes. The termination of a ZRTP key 1632 agreement exchange results in no updates to the cached shared secrets 1633 and deletion of all crypto context. 1635 The ZRTP Session key, ZRTPSess, is only deleted if the ZRTP session 1636 in which it was generated and all ZRTP sessions which are using it 1637 are terminated. 1639 4.7.2. Termination via GoClear message 1641 The GoClear message (Section 5.11) is used to switch from SRTP to 1642 RTP, usually because the user has chosen to do that by pressing a 1643 button. The GoClear uses an HMAC of the Message Type Block sent in 1644 the GoClear Message computed with the hmackey derived from the shared 1645 secret. This HMAC is truncated to the leftmost 64 bits. When sent 1646 by the initiator: 1648 clear_hmac = HMAC(hmackeyi, "GoClear ") 1650 When sent by the responder: 1652 clear_hmac = HMAC(hmackeyr, "GoClear ") 1654 A GoClear message which does not receive a ClearACK response must be 1655 resent. If a GoClear message is received with a bad HMAC, it must be 1656 ignored, and no ClearACK is sent. 1658 A ZRTP endpoint MAY choose to accept GoClear messages after the 1659 session has switched to SRTP, allowing the session to revert to RTP. 1660 This is indicated in the Confirm1 or Confirm2 messages (Figure 10) by 1661 setting the Allow Clear flag (A). If an endpoint sets the Allow 1662 Clear (A) flag in their Confirm message, it indicates that they 1663 support receiving GoClear messages. 1665 A ZRTP endpoint that receives a GoClear MUST authenticate the message 1666 by checking the clear_hmac. If the message authenticates, the 1667 endpoint stops sending SRTP packets, and generates a ClearACK in 1668 response. It MUST also delete all the crypto key material for all 1669 the SRTP media streams, as defined in Section 4.7.2.1. 1671 Until confirmation from the user is received (e.g. clicking a button, 1672 pressing a DTMF key, etc.), the ZRTP endpoint MUST NOT resume sending 1673 RTP packets. The endpoint then renders to the user an indication 1674 that the media session has switched to clear mode, and waits for 1675 confirmation from the user. This blocks the flow of sensitive 1676 discourse until the user is forced to take notice that he's no longer 1677 protected by encryption. To prevent pinholes from closing or NAT 1678 bindings from expiring, the ClearACK message MAY be resent at regular 1679 intervals (e.g. every 5 seconds) while waiting for confirmation from 1680 the user. After confirmation of the notification is received from 1681 the user, the sending of RTP packets may begin. 1683 After sending a GoClear message, the ZRTP endpoint stops sending SRTP 1684 packets. When a ClearACK is received, the ZRTP endpoint deletes the 1685 crypto context for the SRTP session, as defined in Section 4.7.2.1, 1686 and may then resume sending RTP packets. 1688 In the event a ClearACK is not received before the retransmissions of 1689 GoClear are exhausted, the key material is deleted, as defined in 1690 Section 4.7.2.1. 1692 After the users have transitioned from SRTP media back to RTP media 1693 (clear mode), they may decide later to return to secure mode by 1694 manual activation, usually by pressing a GO SECURE button. In that 1695 case, a new secure session is initiated by the party that presses the 1696 button, by sending a new Commit message, leading to a new session key 1697 negotiation. It is not necessary to send another Hello message, as 1698 the two parties have already done that at the start of the call and 1699 thus have already discovered each other's ZRTP capabilities. It is 1700 possible for users to toggle back and forth between clear and secure 1701 modes multiple times in the same session, just as they could in the 1702 old days of secure PSTN phones. 1704 4.7.2.1. Key Destruction for GoClear message 1706 All SRTP session key material MUST be erased by the receiver of the 1707 GoClear message upon receiving a properly authenticated GoClear. The 1708 same key destruction MUST be done by the sender of GoClear message, 1709 upon receiving the ClearACK. This must be done for the key material 1710 for all of the media streams. 1712 All key material that would have been erased at the end of the SIP 1713 session MUST be erased, as described in Section 4.7.3, with the 1714 single exception of ZRTPSess. In this case, ZRTPSess is destroyed in 1715 a manner different from the other key material. Both parties replace 1716 ZRTPSess with a hash of itself, without truncation: 1718 ZRTPSess = hash(ZRTPSess) 1720 This meets the requirements of Perfect Forward Secrecy (PFS), but 1721 preserves a new version of ZRTPSess, so that the user can later re- 1722 initiate secure mode during the same session without performing 1723 another Diffie-Hellman calculation using Multistream mode which 1724 requires and assumes the existence of ZRTPSess with the same value at 1725 both ZRTP endpoints. A new key negotiation after a GoClear SHOULD 1726 use a Multistream Commit message. 1728 Note: Multistream mode is preferred over a Diffie-Hellman mode 1729 since this does not require the generation of a new hash chain and 1730 a new signaling exchange to exchange new hash values. 1732 Later, at the end of the entire call, ZRTPSess is finally destroyed 1733 along with the other key material, as described in Section 4.7.3. 1735 4.7.3. Key Destruction at Termination 1737 All SRTP session key material MUST be erased by both parties at the 1738 end of the call. In particular, the destroyed key material includes 1739 the SRTP session keys and salts, SRTP master keys and salts, and all 1740 material sufficient to reconstruct the SRTP keys and salts, including 1741 ZRTPSess and s0 (although s0 should have been destroyed earlier, in 1742 Section 4.6.1). This must be done for the key material for all of 1743 the media streams. The only exceptions are the cached shared secrets 1744 needed for future sessions, including rs1, rs2, and pbxsecret. 1746 4.8. Random Number Generation 1748 The ZRTP protocol uses random numbers for cryptographic key material, 1749 notably for the DH secret exponents and nonces, which must be freshly 1750 generated with each session. Whenever a random number is needed, all 1751 of the following criteria must be satisfied: 1753 Random numbers MUST be freshly generated, meaning that it must not 1754 have been used in a previous calculation. 1756 When generating a random number k of L bits in length, k MUST be 1757 chosen with equal probability from the range of [1 < k < 2^L]. 1759 It MUST be derived from a physical entropy source, such as RF noise, 1760 acoustic noise, thermal noise, high resolution timings of 1761 environmental events, or other unpredictable physical sources of 1762 entropy. For a detailed explanation of cryptographic grade random 1763 numbers and guidance for collecting suitable entropy, see RFC 4086 1764 [RFC4086] and Chapter 10 of Practical Cryptography [Ferguson]. The 1765 raw entropy must be distilled and processed through a deterministic 1766 random bit generator (DRBG). Examples of DRBGs may be found in NIST 1767 SP 800-90 [SP800-90], and in [Ferguson]. Failure to use true entropy 1768 from the physical environment as a basis for generating random 1769 cryptographic key material would lead to a disastrous loss of 1770 security. 1772 4.9. ZID and Cache Operation 1774 Each instance of ZRTP has a unique 96-bit random ZRTP ID or ZID that 1775 is generated once at installation time. It is used to look up 1776 retained shared secrets in a local cache. A single global ZID for a 1777 single installation is the simplest way to implement ZIDs. However, 1778 it is specifically not precluded for an implementation to use 1779 multiple ZIDs, up to the limit of a separate one per callee. This 1780 then turns it into a long-lived "association ID" that does not apply 1781 to any other associations between a different pair of parties. It is 1782 a goal of this protocol to permit both options to interoperate 1783 freely. 1785 Each time a new s0 is calculated, a new retained shared secret rs1 is 1786 generated and stored in the cache, indexed by the ZID of the other 1787 endpoint. This cache updating is described in Section 4.6.1. For 1788 the new retained shared secret, each endpoint chooses a cache 1789 expiration value which is an unsigned 32 bit integer of the number of 1790 seconds that this secret should be retained in the cache. The time 1791 interval is relative to when the Confirm1 message is sent or 1792 received. 1794 The cache intervals are exchanged in the Confirm1 and Confirm2 1795 messages (Figure 10). The actual cache interval used by both 1796 endpoints is the minimum of the values from the Confirm1 and Confirm2 1797 messages. A value of 0 seconds means the newly-computed shared 1798 secret SHOULD NOT be stored in the cache, and if a cache entry 1799 already exists from an earlier call, the stored cache interval should 1800 be set to 0. This means if either Confirm message contains a null 1801 cache expiration interval, and there is no cache entry already 1802 defined, no new cache entry is created. A value of 0xffffffff means 1803 the secret should be cached indefinitely and is the recommended 1804 value. If the ZRTP exchange is Multistream Mode, the field in the 1805 Confirm1 and Confirm2 is set to 0xffffffff and ignored, and the cache 1806 is not updated. 1808 The expiration interval need not be used to force the deletion of a 1809 shared secret from the cache when the interval has expired. It just 1810 means the shared secret MAY be deleted from that cache at any point 1811 after the interval has expired without causing the other party to 1812 note it as an unexpected security event when the next key negotiation 1813 occurs between the same two parties. This means there need not be 1814 perfectly synchronized deletion of expired secrets from the two 1815 caches, and makes it easy to avoid a race condition that might 1816 otherwise be caused by clock skew. 1818 If the expiration interval is not properly agreed to by both 1819 endpoints, it may later result in false alarms of MiTM attacks, due 1820 to apparent cache mismatches (Section 4.3.2). 1822 4.9.1. Cacheless implementations 1824 It is possible to implement a simplified but nonetheless useful (and 1825 still compliant) profile of the ZRTP protocol that does not support 1826 any caching of shared secrets. In this case the users would have to 1827 rely exclusively on the verbal SAS comparison for every call. That 1828 is, unless MiTM protection is provided by the mechanisms in 1829 Section 8.1.1 or Section 7.2, which introduce their own forms of 1830 complexity. 1832 If a ZRTP endpoint does not support caching of shared secrets, it 1833 MUST set the cache expiration interval to zero, and MUST set the SAS 1834 Verified (V) flag (Section 7.1) to false. In addition, because the 1835 ZID serves mainly as a cache index, the ZID would not be required to 1836 maintain the same value across separate SIP sessions, although there 1837 is no reason why it should not. 1839 Cacheless operation would sacrifice the key continuity (Section 15.1) 1840 features, as well as Preshared mode (Section 4.4.2). Further, if the 1841 pbxsecret is also not cached, there would be no PBX trusted MiTM 1842 (Section 7.3) features, including the PBX security enrollment 1843 (Section 7.3.1) mechanism. 1845 5. ZRTP Messages 1847 All ZRTP messages use the message format defined in Figure 2. All 1848 word lengths referenced in this specification are 32 bits or 4 1849 octets. All integer fields are carried in network byte order, that 1850 is, most significant byte (octet) first, commonly known as big- 1851 endian. 1853 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1854 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1855 |0 0 0 1|Not Used (set to zero) | Sequence Number | 1856 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1857 | Magic Cookie 'ZRTP' (0x5a525450) | 1858 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1859 | Source Identifier | 1860 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1861 | | 1862 | ZRTP Message (length depends on Message Type) | 1863 | . . . | 1864 | | 1865 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1866 | CRC (1 word) | 1867 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1869 Figure 2: ZRTP Packet Format 1871 The Sequence Number is a count that is incremented for each ZRTP 1872 packet sent. The count is initialized to a random value. This is 1873 useful in estimating ZRTP packet loss and also detecting when ZRTP 1874 packets arrive out of sequence. 1876 The ZRTP Magic Cookie is a 32 bit string that uniquely identifies a 1877 ZRTP packet, and has the value 0x5a525450. 1879 Source Identifier is the SSRC number of the RTP stream that this ZRTP 1880 packet relates to. For cases of forking or forwarding, RTP and hence 1881 ZRTP may arrive at the same port from several different sources - 1882 each of these sources will have a different SSRC and may initiate an 1883 independent ZRTP protocol session. 1885 This format is clearly identifiable as non-RTP due to the first two 1886 bits being zero which looks like RTP version 0, which is not a valid 1887 RTP version number. It is clearly distinguishable from STUN since 1888 the magic cookies are different. The 12 not used bits are set to 1889 zero and MUST be ignored when received. 1891 The ZRTP Messages are defined in Figure 3 to Figure 17 and are of 1892 variable length. 1894 The ZRTP protocol uses a 32 bit CRC as defined in RFC 4960, Appendix 1895 B [RFC4960] in each ZRTP packet to detect transmission errors. ZRTP 1896 packets are typically transported by UDP, which carries its own 1897 built-in 16-bit checksum for integrity, but ZRTP does not rely on it. 1898 This is because of the effect of an undetected transmission error in 1899 a ZRTP message. For example, an undetected error in the DH exchange 1900 could appear to be an active man-in-the-middle attack. The 1901 psychological effects of a false announcement of this by ZRTP clients 1902 can not be overstated. The probability of such a false alarm hinges 1903 on a mere 16-bit checksum that usually protects UDP packets, so more 1904 error detection is needed. For these reasons, this belt-and- 1905 suspenders approach is used to minimize the chance of a transmission 1906 error affecting the ZRTP key agreement. 1908 The CRC is calculated across the entire ZRTP packet shown in 1909 Figure 2, including the ZRTP Header and the ZRTP Message, but not 1910 including the CRC field. If a ZRTP message fails the CRC check, it 1911 is silently discarded. 1913 5.1. ZRTP Message Formats 1915 ZRTP messages are designed to simplify endpoint parsing requirements 1916 and to reduce the opportunities for buffer overflow attacks (a good 1917 goal of any security extension should be to not introduce new attack 1918 vectors). 1920 ZRTP uses a block of 8 octets (2 words) to encode the Message Type. 4 1921 octets (1 word) blocks are used to encode Hash Type, Cipher Type, and 1922 Key Agreement Type, and Authentication Tag Type. The values in the 1923 blocks are ASCII strings which are extended with spaces (0x20) to 1924 make them the desired length. Currently defined block values are 1925 listed in Tables 1-6 below. 1927 Additional block values may be defined and used. 1929 ZRTP uses this ASCII encoding to simplify debugging and make it 1930 "Wireshark (Ethereal) friendly". 1932 5.1.1. Message Type Block 1934 Currently 16 Message Type Blocks are defined - they represent the set 1935 of ZRTP message primitives. ZRTP endpoints MUST support the Hello, 1936 HelloACK, Commit, DHPart1, DHPart2, Confirm1, Confirm2, Conf2ACK, 1937 SASrelay, RelayACK, Error, ErrorACK, and PingACK message types. ZRTP 1938 endpoints MAY support the GoClear, ClearACK, and Ping messages. In 1939 order to generate a PingACK message, it is necessary to parse a Ping 1940 message. Additional messages may be defined in extensions to ZRTP. 1942 Message Type Block | Meaning 1943 --------------------------------------------------- 1944 "Hello " | Hello Message 1945 --------------------------------------------------- 1946 "HelloACK" | HelloACK Message 1947 --------------------------------------------------- 1948 "Commit " | Commit Message 1949 --------------------------------------------------- 1950 "DHPart1 " | DHPart1 Message 1951 --------------------------------------------------- 1952 "DHPart2 " | DHPart2 Message 1953 --------------------------------------------------- 1954 "Confirm1" | Confirm1 Message 1955 --------------------------------------------------- 1956 "Confirm2" | Confirm2 Message 1957 --------------------------------------------------- 1958 "Conf2ACK" | Conf2ACK Message 1959 --------------------------------------------------- 1960 "Error " | Error Message 1961 --------------------------------------------------- 1962 "ErrorACK" | ErrorACK Message 1963 --------------------------------------------------- 1964 "GoClear " | GoClear Message 1965 --------------------------------------------------- 1966 "ClearACK" | ClearACK Message 1967 --------------------------------------------------- 1968 "SASrelay" | SASrelay Message 1969 --------------------------------------------------- 1970 "RelayACK" | RelayACK Message 1971 --------------------------------------------------- 1972 "Ping " | Ping Message 1973 --------------------------------------------------- 1974 "PingACK " | PingACK Message 1975 --------------------------------------------------- 1977 Table 1. Message Type Block Values 1979 5.1.2. Hash Type Block 1981 All ZRTP endpoints MUST support a Hash Type of SHA-256 [FIPS-180-3]. 1982 SHA-384 SHOULD be supported, and MUST be supported if ECDH-384 is 1983 used. Additional Hash Types can be registered and used, such as the 1984 NIST SHA-3 hash [SHA-3] when it becomes available. Note that the 1985 Hash Type refers to the hash algorithm that will be used throughout 1986 the ZRTP key exchange, not the hash algorithm to be used in the SRTP 1987 Authentication Tag. 1989 ZRTP makes use of HMAC message authentication codes based on the 1990 negotiated Hash Type. The HMAC function is defined in [FIPS-198-1]. 1991 A discussion of the general security of the HMAC construction may be 1992 found in [RFC2104]. Test vectors for HMAC-SHA-256 and HMAC-SHA-384 1993 may be found in [RFC4231]. The HMAC function based on the negotiated 1994 Hash Type is also used in the ZRTP key derivation function 1995 (Section 4.5.1). 1997 The choice of the negotiated Hash Type is coupled to the Key 1998 Agreement type, as explained in Section 5.1.5. 2000 Hash Type Block | Meaning 2001 ------------------------------------------------------ 2002 "S256" | SHA-256 Hash defined in FIPS 180-3 2003 ------------------------------------------------------ 2004 "S384" | SHA-384 Hash defined in FIPS 180-3 2005 ------------------------------------------------------ 2007 Table 2. Hash Type Block Values 2009 The negotiated Hash Type does not apply to the hash used in the 2010 digital signature defined in Section 7.2. For example, even if the 2011 negotiated Hash Type is SHA-256, the digital signature may use SHA- 2012 384 if an ECDSA P-384 signature key is used. Digital signatures are 2013 optional in ZRTP. 2015 Except for the aforementioned digital signatures, and the special 2016 cases noted in Section 5.1.2.1, all the other hashes and HMACs used 2017 throughout the ZRTP protocol will use the negotiated Hash Type. 2019 5.1.2.1. Implicit Hash and HMAC algorithm 2021 While most of the HMACs used in ZRTP are defined by the negotiated 2022 Hash Type (Section 5.1.2), some hashes and HMACs must be precomputed 2023 prior to negotiations, and thus cannot have their algorithms 2024 negotiated during the ZRTP exchange. They are implicitly 2025 predetermined to use SHA-256 [FIPS-180-3] and HMAC-SHA-256. 2027 These are the hashes and HMACs that MUST use the Implicit hash and 2028 HMAC algorithm: 2030 The hash chain H0-H3 defined in Section 9. 2031 The HMACs that are keyed by this hash chain, as defined in 2032 Section 8.1.1. 2033 The Hello Hash in the a=zrtp-hash attribute defined in 2034 Section 8.1. 2036 ZRTP defines a method for negotiating different ZRTP protocol 2037 versions (Section 4.1.1). SHA-256 is the Implicit Hash for ZRTP 2038 protocol version 1.10. Future ZRTP protocol versions may, if 2039 appropriate, use another hash algorithm as the Implicit Hash, such as 2040 the NIST SHA-3 hash [SHA-3] when it becomes available. For example, 2041 a future SIP packet may list two a=zrtp-hash SDP attributes, one 2042 based on SHA-256 for ZRTP version 1.10, and another based on SHA-3 2043 for ZRTP version 2.00. 2045 5.1.3. Cipher Type Block 2047 All ZRTP endpoints MUST support AES-128 (AES1) and MAY support AES- 2048 192 (AES2), AES-256 (AES3), or other Cipher Types. The Advanced 2049 Encryption Standard is defined in [FIPS-197]. 2051 The use of AES-128 in SRTP is defined by [RFC3711]. The use of AES- 2052 192 and AES-256 in SRTP is defined by [I-D.ietf-avt-srtp-big-aes]. 2053 The choice of the AES key length is coupled to the Key Agreement 2054 type, as explained in Section 5.1.5. 2056 ZRTP endpoints MAY support the TwoFish [TwoFish] block cipher or the 2057 Camellia [RFC3713] block cipher. If implemented, these ciphers may 2058 be used anywhere in ZRTP or SRTP in place of the AES, in the same 2059 modes of operation and key size. Notably, in counter mode to replace 2060 AES-CM in [RFC3711] and [I-D.ietf-avt-srtp-big-aes], as well as in 2061 CFB mode to encrypt a portion of the Confirm message (Figure 10). 2063 Cipher Type Block | Meaning 2064 ------------------------------------------------- 2065 "AES1" | AES with 128 bit keys 2066 ------------------------------------------------- 2067 "AES2" | AES with 192 bit keys 2068 ------------------------------------------------- 2069 "AES3" | AES with 256 bit keys 2070 ------------------------------------------------- 2071 "2FS1" | TwoFish with 128 bit keys 2072 ------------------------------------------------- 2073 "2FS2" | TwoFish with 192 bit keys 2074 ------------------------------------------------- 2075 "2FS3" | TwoFish with 256 bit keys 2076 ------------------------------------------------- 2077 "CAM1" | Camellia with 128 bit keys 2078 ------------------------------------------------- 2079 "CAM2" | Camellia with 192 bit keys 2080 ------------------------------------------------- 2081 "CAM3" | Camellia with 256 bit keys 2082 ------------------------------------------------- 2084 Table 3. Cipher Type Block Values 2086 5.1.4. Auth Tag Type Block 2088 All ZRTP endpoints MUST support HMAC-SHA1 authentication tags for 2089 SRTP, with both 32 bit and 80 bit length tags as defined in 2090 [RFC3711]. 2092 Auth Tag Type Block | Meaning 2093 --------------------------------------------------- 2094 "HS32" | HMAC-SHA1 32 bit authentication 2095 | tag as defined in RFC 3711 2096 --------------------------------------------------- 2097 "HS80" | HMAC-SHA1 80 bit authentication 2098 | tag as defined in RFC 3711 2099 --------------------------------------------------- 2101 Table 4. Auth Tag Type Values 2103 5.1.5. Key Agreement Type Block 2105 All ZRTP endpoints MUST support DH3k, SHOULD support Preshared, and 2106 MAY support EC25, EC38, and DH2k. 2108 If a ZRTP endpoint supports multiple concurrent media streams, such 2109 as audio and video, it MUST support Multistream (Section 4.4.3) mode. 2110 Also, if a ZRTP endpoint supports the GoClear message 2111 (Section 4.7.2), it SHOULD support Multistream, to be used if the two 2112 parties choose to return to the secure state after going Clear (as 2113 explained in Section 4.7.2.1). 2115 For Finite Field Diffie-Hellman, ZRTP endpoints MUST use the DH 2116 parameters defined in RFC 3526 [RFC3526], as follows. DH3k uses the 2117 3072-bit MODP group. DH2k uses the 2048-bit MODP group. The DH 2118 generator g is 2. The random Diffie-Hellman secret exponent SHOULD 2119 be twice as long as the AES key length. If AES-128 is used, the DH 2120 secret value SHOULD be 256 bits long. If AES-256 is used, the secret 2121 value SHOULD be 512 bits long. 2123 If Elliptic Curve DH is used, the ECDH algorithm and key generation 2124 is from NIST SP 800-56A [SP800-56A]. The curves used are from NSA 2125 Suite B [NSA-Suite-B], which uses the same curves as ECDSA defined by 2126 FIPS 186-3 [FIPS-186-3], and can also be found in RFC 4753 [RFC4753], 2127 sections 3.1 through 3.3. The validation procedures are from NIST SP 2128 800-56A [SP800-56A] section 5.6.2.6, method 3, ECC Partial 2129 Validation. Both the X and Y coordinates of the point on the curve 2130 are sent, in the first and second half of the ECDH public value, 2131 respectively. 2133 The choice of the negotiated hash algorithm (Section 5.1.2) is 2134 coupled to the choice of key agreement type. If ECDH-384 (EC38) is 2135 chosen as the key agreement, the negotiated hash algorithm MUST be 2136 SHA-384. 2138 The choice of AES key length is coupled to the choice of key 2139 agreement type. If EC38 is chosen as the key agreement, AES-256 2140 (AES3) SHOULD be used but AES-192 MAY be used. If DH3K or EC25 is 2141 chosen, any AES key size MAY be used. Note that SRTP as defined in 2142 RFC 3711 [RFC3711] only supports AES-128. 2144 DH2k is intended for low power applications, or for applications that 2145 require fast key negotiations, and SHOULD use AES-128. DH2k is not 2146 recommended for high security applications. Its security can be 2147 augmented by implementing ZRTP's key continuity features 2148 (Section 15.1). 2150 EC52 (ECDH-521) SHOULD NOT be used, due to disruptive computational 2151 delays. These delays may lead to exhaustion of the retransmission 2152 schedule, unless both endpoints have very fast hardware. Note that 2153 ECDH-521 is not part of NSA Suite B. 2155 ZRTP also defines two non-DH modes, Multistream and Preshared, in 2156 which the SRTP key is derived from a shared secret and some nonce 2157 material. 2159 Table 5 lists the pv length in words and DHPart1 and DHPart2 message 2160 length in words for each Key Agreement Type Block. 2162 Key Agreement | pv | message | Meaning 2163 Type Block | words | words | 2164 ----------------------------------------------------------- 2165 "DH3k" | 96 | 117 | DH mode with p=3072 bit prime 2166 | | | per RFC 3526, section 4. 2167 ----------------------------------------------------------- 2168 "DH2k" | 64 | 85 | DH mode with p=2048 bit prime 2169 | | | per RFC 3526, section 3. 2170 ----------------------------------------------------------- 2171 "EC25" | 16 | 37 | Elliptic Curve DH, P-256 2172 | | | per RFC 4753, section 3.1 2173 ----------------------------------------------------------- 2174 "EC38" | 24 | 45 | Elliptic Curve DH, P-384 2175 | | | per RFC 4753, section 3.2 2176 ----------------------------------------------------------- 2177 "EC52" | 33 | 54 | Elliptic Curve DH, P-521 2178 | | | per RFC 4753, section 3.3 2179 ----------------------------------------------------------- 2180 "Prsh" | - | - | Preshared Non-DH mode 2181 | | | 2182 ----------------------------------------------------------- 2183 "Mult" | - | - | Multistream Non-DH mode 2184 | | | 2185 ----------------------------------------------------------- 2187 Table 5. Key Agreement Type Block Values 2189 5.1.6. SAS Type Block 2191 The SAS Type determines how the SAS is rendered to the user so that 2192 the user may verbally compare it with his partner over the voice 2193 channel. This allows detection of a man-in-the-middle (MiTM) attack. 2195 All ZRTP endpoints MUST support the base32 and MAY support the 2196 base256 rendering schemes for the Short Authentication String, and 2197 other SAS rendering schemes. See Section 4.5.2 for how the sasvalue 2198 is computed and Section 7 for how the SAS is used. 2200 SAS Type Block | Meaning 2201 --------------------------------------------------- 2202 "B32 " | Short Authentication String using 2203 | base32 encoding 2204 --------------------------------------------------- 2205 "B256" | Short Authentication String using 2206 | base256 encoding (PGP Word List) 2207 --------------------------------------------------- 2209 Table 6. SAS Type Block Values 2210 For the SAS Type of "B256", the leftmost 16 bits of the 32-bit 2211 sasvalue are rendered using the PGP Word List [pgpwordlist] 2212 [Juola1][Juola2]. 2214 For the SAS Type of "B32 ", the leftmost 20 bits of the 32-bit 2215 sasvalue are rendered as a form of base32 encoding, designed to 2216 represent bit sequences in a form that is convenient for human users 2217 to manipulate. The choice of characters and unusually permuted 2218 ordering are explained in the source document for the encoding scheme 2219 [z-base-32], which differs from RFC 4648. The leftmost 20 bits of 2220 the sasvalue results in four base32 characters which are rendered to 2221 both ZRTP endpoints. Here is a normative pseudocode implementation 2222 of the base32 function: 2224 char[4] base32(uint32 bits) 2225 { int i, n, shift; 2226 char result[4]; 2227 for (i=0,shift=27; i!=4; ++i,shift-=5) 2228 { n = (bits>>shift) & 31; 2229 result[i] = "ybndrfg8ejkmcpqxot1uwisza345h769"[n]; 2230 } 2231 return result; 2232 } 2234 5.1.7. Signature Type Block 2236 The Signature Type Block specifies what signature algorithm is used 2237 to sign the SAS as discussed in Section 7.2. The 4-octet Signature 2238 Type Block, along with the accompanying signature block, are OPTIONAL 2239 and may be present in the Confirm message (Figure 10) or the SASrelay 2240 message (Figure 16). The signature types are given in the table 2241 below. 2243 Additional details on the signature and signing key format may be 2244 found in Section 7.2. OpenPGP signatures (Signature Type "PGP ") are 2245 discussed in Section 7.2.1. X.509v3 Suite B Signatures (Signature 2246 Type "X509") are discussed in Section 7.2.2. 2248 Other signature types may be defined in a future document. 2250 Signature | Meaning 2251 Type Block | 2252 ------------------------------------------------ 2253 "PGP " | OpenPGP Signature, per RFC 4880 2254 | or I-D.jivsov-openpgp-ecc 2255 ------------------------------------------------ 2256 "X509" | Suite B ECDSA, with X.509v3 cert 2257 | per FIPS 186-3 2258 ------------------------------------------------ 2260 Table 7. Signature Type Block Values 2262 5.2. Hello message 2264 The Hello message has the format shown in Figure 3. 2266 All ZRTP messages begin with the preamble value 0x505a, then a 16 bit 2267 length in 32 bit words. This length includes only the ZRTP message 2268 (including the preamble and the length) but not the ZRTP packet 2269 header or CRC. The 8-octet Message Type follows the length field. 2271 Next is a 4 character string containing the version (ver) of the ZRTP 2272 protocol which is "1.10" for this specification. Next is the Client 2273 Identifier string (cid) which is 4 words long and identifies the 2274 vendor and release of the ZRTP software. The 256-bit hash image H3 2275 is defined in Section 9. The next parameter is the ZID, the 96 bit 2276 long unique identifier for the ZRTP endpoint, defined in Section 4.9. 2278 The next four bits are flag bits. The Signature-capable flag (S) 2279 indicates this Hello message is sent from a ZRTP endpoint which is 2280 able to parse and verify digital signatures, as described in 2281 Section 7.2. If signatures are not supported, the (S) flag MUST be 2282 set to zero. The MiTM flag (M) is a Boolean that is set to true if 2283 and only if this Hello message is sent from a device, usually a PBX, 2284 that has the capability to send an SASrelay message (Section 5.13). 2285 The Passive flag (P) is a Boolean normally set to False. A ZRTP 2286 endpoint which is configured to never initiate secure sessions is 2287 regarded as passive, and would set the P bit to True. The next 8 2288 bits are unused and SHOULD be set to zero when sent and MUST be 2289 ignored on receipt. 2291 Next is a list of supported Hash algorithms, Cipher algorithms, SRTP 2292 Auth Tag types, Key Agreement types, and SAS types. The number of 2293 listed algorithms are listed for each type: hc=hash count, cc=cipher 2294 count, ac=auth tag count, kc=key agreement count, and sc=sas count. 2295 The values for these algorithms are defined in Tables 2, 3, 4, 5, and 2296 6. A count of zero means that only the mandatory to implement 2297 algorithms are supported. Mandatory algorithms MAY be included in 2298 the list. The order of the list indicates the preferences of the 2299 endpoint. If a mandatory algorithm is not included in the list, it 2300 is added to the end of the list for preference. 2302 The 64-bit HMAC at the end of the message is computed across the 2303 whole message, not including the HMAC. The HMAC key is the sender's 2304 H2 (defined in Section 9), and thus the HMAC cannot be checked by the 2305 receiving party until the sender's H2 value is known to the receiving 2306 party later in the protocol. 2308 0 1 2 3 2309 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2310 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2311 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length | 2312 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2313 | Message Type Block="Hello " (2 words) | 2314 | | 2315 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2316 | version="1.10" (1 word) | 2317 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2318 | | 2319 | Client Identifier (4 words) | 2320 | | 2321 | | 2322 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2323 | | 2324 | Hash image H3 (8 words) | 2325 | . . . | 2326 | | 2327 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2328 | | 2329 | ZID (3 words) | 2330 | | 2331 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2332 |0|S|M|P| unused (zeros)| hc | cc | ac | kc | sc | 2333 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2334 | hash algorithms (0 to 7 values) | 2335 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2336 | cipher algorthms (0 to 7 values) | 2337 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2338 | auth tag types (0 to 7 values) | 2339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2340 | key agreement types (0 to 7 values) | 2341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2342 | SAS types (0 to 7 values) | 2343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2344 | HMAC (2 words) | 2345 | | 2346 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2348 Figure 3: Hello message format 2350 5.3. HelloACK message 2352 The HelloACK message is used to stop retransmissions of a Hello 2353 message. A HelloACK is sent regardless if the version number in the 2354 Hello is supported or the algorithm list supported. The receipt of a 2355 HelloACK stops retransmission of the Hello message. The format is 2356 shown in the Figure below. A Commit message may be sent in place of 2357 a HelloACK by an Initiator, if a Commit message is ready to be sent 2358 promptly. 2360 0 1 2 3 2361 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2363 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=3 words | 2364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2365 | Message Type Block="HelloACK" (2 words) | 2366 | | 2367 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2369 Figure 4: HelloACK message format 2371 5.4. Commit message 2373 The Commit message is sent to initiate the key agreement process 2374 after both sides have received a Hello message, which means it can 2375 only be sent after receiving both a Hello message and a HelloACK 2376 message. There are three subtypes of Commit messages, whose formats 2377 are shown in Figure 5, Figure 6, and Figure 7. 2379 The Commit message contains the Message Type Block, then the 256-bit 2380 hash image H2 which is defined in Section 9. The next parameter is 2381 the initiator's ZID, the 96 bit long unique identifier for the ZRTP 2382 endpoint, which must have the same value as was used in the Hello 2383 message. 2385 Next is a list of algorithms selected by the initiator (hash, cipher, 2386 auth tag type, key agreement, sas type). For a DH Commit, the hash 2387 value hvi is a hash of the DHPart2 of the Initiator and the 2388 Responder's Hello message, as explained in Section 4.4.1.1. 2390 The 64-bit HMAC at the end of the message is computed across the 2391 whole message, not including the HMAC. The HMAC key is the sender's 2392 H1 (defined in Section 9), and thus the HMAC cannot be checked by the 2393 receiving party until the sender's H1 value is known to the receiving 2394 party later in the protocol. 2396 0 1 2 3 2397 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2398 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2399 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=29 words | 2400 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2401 | Message Type Block="Commit " (2 words) | 2402 | | 2403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2404 | | 2405 | Hash image H2 (8 words) | 2406 | . . . | 2407 | | 2408 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2409 | | 2410 | ZID (3 words) | 2411 | | 2412 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2413 | hash algorithm | 2414 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2415 | cipher algorithm | 2416 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2417 | auth tag type | 2418 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2419 | key agreement type | 2420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2421 | SAS type | 2422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2423 | | 2424 | hvi (8 words) | 2425 | . . . | 2426 | | 2427 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2428 | HMAC (2 words) | 2429 | | 2430 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2432 Figure 5: DH Commit message format 2434 0 1 2 3 2435 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2436 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2437 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=25 words | 2438 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2439 | Message Type Block="Commit " (2 words) | 2440 | | 2441 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2442 | | 2443 | Hash image H2 (8 words) | 2444 | . . . | 2445 | | 2446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2447 | | 2448 | ZID (3 words) | 2449 | | 2450 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2451 | hash algorithm | 2452 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2453 | cipher algorithm | 2454 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2455 | auth tag type | 2456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2457 | key agreement type = "Mult" | 2458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2459 | SAS type | 2460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2461 | | 2462 | nonce (4 words) | 2463 | . . . | 2464 | | 2465 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2466 | HMAC (2 words) | 2467 | | 2468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2470 Figure 6: Multistream Commit message format 2472 0 1 2 3 2473 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2474 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2475 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=27 words | 2476 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2477 | Message Type Block="Commit " (2 words) | 2478 | | 2479 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2480 | | 2481 | Hash image H2 (8 words) | 2482 | . . . | 2483 | | 2484 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2485 | | 2486 | ZID (3 words) | 2487 | | 2488 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2489 | hash algorithm | 2490 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2491 | cipher algorithm | 2492 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2493 | auth tag type | 2494 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2495 | key agreement type = "Prsh" | 2496 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2497 | SAS type | 2498 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2499 | | 2500 | nonce (4 words) | 2501 | . . . | 2502 | | 2503 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2504 | keyID (2 words) | 2505 | | 2506 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2507 | HMAC (2 words) | 2508 | | 2509 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2511 Figure 7: Preshared Commit message format 2513 5.5. DHPart1 message 2515 The DHPart1 message begins the DH exchange. The format is shown in 2516 Figure 8 below. The DHPart1 message is sent by the Responder if a 2517 valid Commit message is received from the Initiator. The length of 2518 the pvr value and the length of the DHPart1 message depends on the 2519 Key Agreement Type chosen. This information is contained in Table 5. 2521 Note that for both Multistream and Preshared modes, no DHPart1 or 2522 DHPart2 message will be sent. 2524 The 256-bit hash image H1 is defined in Section 9. 2526 The next four parameters are HMACs of potential shared secrets used 2527 in generating the ZRTP secret. The first two, rs1IDr and rs2IDr, are 2528 the HMACs of the responder's two retained shared secrets, truncated 2529 to 64 bits. Next is auxsecretIDr, the HMAC of the responder's 2530 auxsecret (defined in Section 4.3), truncated to 64 bits. The last 2531 parameter is the HMAC of the trusted MiTM PBX shared secret 2532 pbxsecret, defined in Section 7.3.1. The Message format for the 2533 DHPart1 message is shown in Figure 8. 2535 The 64-bit HMAC at the end of the message is computed across the 2536 whole message, not including the HMAC. The HMAC key is the sender's 2537 H0 (defined in Section 9), and thus the HMAC cannot be checked by the 2538 receiving party until the sender's H0 value is known to the receiving 2539 party later in the protocol. 2541 0 1 2 3 2542 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2543 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2544 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=depends on KA Type | 2545 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2546 | Message Type Block="DHPart1 " (2 words) | 2547 | | 2548 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2549 | | 2550 | Hash image H1 (8 words) | 2551 | . . . | 2552 | | 2553 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2554 | rs1IDr (2 words) | 2555 | | 2556 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2557 | rs2IDr (2 words) | 2558 | | 2559 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2560 | auxsecretIDr (2 words) | 2561 | | 2562 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2563 | pbxsecretIDr (2 words) | 2564 | | 2565 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2566 | | 2567 | pvr (length depends on KA Type) | 2568 | . . . | 2569 | | 2570 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2571 | HMAC (2 words) | 2572 | | 2573 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2575 Figure 8: DHPart1 message format 2577 5.6. DHPart2 message 2579 The DHPart2 message completes the DH exchange. A DHPart2 message is 2580 sent by the Initiator if a valid DHPart1 message is received from the 2581 Responder. The length of the pvr value and the length of the DHPart2 2582 message depends on the Key Agreement Type chosen. This information 2583 is contained in Table 5. Note that for both Multistream and 2584 Preshared modes, no DHPart1 or DHPart2 message will be sent. 2586 The 256-bit hash image H1 is defined in Section 9. 2588 The next four parameters are HMACs of potential shared secrets used 2589 in generating the ZRTP secret. The first two, rs1IDi and rs2IDi, are 2590 the HMACs of the initiator's two retained shared secrets, truncated 2591 to 64 bits. Next is auxsecretIDi, the HMAC of the initiator's 2592 auxsecret (defined in Section 4.3), truncated to 64 bits. The last 2593 parameter is the HMAC of the trusted MiTM PBX shared secret 2594 pbxsecret, defined in Section 7.3.1. The message format for the 2595 DHPart2 message is shown in Figure 9. 2597 The 64-bit HMAC at the end of the message is computed across the 2598 whole message, not including the HMAC. The HMAC key is the sender's 2599 H0 (defined in Section 9), and thus the HMAC cannot be checked by the 2600 receiving party until the sender's H0 value is known to the receiving 2601 party later in the protocol. 2603 0 1 2 3 2604 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2605 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2606 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=depends on KA Type | 2607 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2608 | Message Type Block="DHPart2 " (2 words) | 2609 | | 2610 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2611 | | 2612 | Hash image H1 (8 words) | 2613 | . . . | 2614 | | 2615 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2616 | rs1IDi (2 words) | 2617 | | 2618 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2619 | rs2IDi (2 words) | 2620 | | 2621 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2622 | auxsecretIDi (2 words) | 2623 | | 2624 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2625 | pbxsecretIDi (2 words) | 2626 | | 2627 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2628 | | 2629 | pvi (length depends on KA Type) | 2630 | . . . | 2631 | | 2632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2633 | HMAC (2 words) | 2634 | | 2635 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2636 Figure 9: DHPart2 message format 2638 5.7. Confirm1 and Confirm2 messages 2640 The Confirm1 message is sent by the Responder in response to a valid 2641 DHPart2 message after the SRTP session key and parameters have been 2642 negotiated. The Confirm2 message is sent by the Initiator in 2643 response to a Confirm1 message. The format is shown in Figure 10 2644 below. The message contains the Message Type Block "Confirm1" or 2645 "Confirm2". Next is the HMAC, a keyed hash over encrypted part of 2646 the message (shown enclosed by "====" in Figure 10). This HMAC is 2647 keyed and computed according to Section 4.6. The next 16 octets 2648 contain the CFB Initialization Vector. The rest of the message is 2649 encrypted using CFB and protected by the HMAC. 2651 The first field inside the encrypted region is the hash preimage H0, 2652 which is defined in detail in Section 9. 2654 The next 15 bits are not used and SHOULD be set to zero when sent and 2655 MUST be ignored when received in Confirm1 or Confirm2 messages. 2657 The next 9 bits contain the signature length. If no SAS signature 2658 (described in Section 7.2) is present, all bits are set to zero. The 2659 signature length is in words and includes the signature type block. 2660 If the calculated signature octet count is not a multiple of 4, zeros 2661 are added to pad it out to a word boundary. If no signature is 2662 present, the overall length of the Confirm1 or Confirm2 Message will 2663 be set to 19 words. 2665 The next 8 bits are used for flags. Undefined flags are set to zero 2666 and ignored. Four flags are currently defined. The PBX Enrollment 2667 flag (E) is a Boolean bit defined in Section 7.3.1. The SAS Verified 2668 flag (V) is a Boolean bit defined in Section 7.1. The Allow Clear 2669 flag (A) is a Boolean bit defined in Section 4.7.2. The Disclosure 2670 Flag (D) is a Boolean bit defined in Section 11. The cache 2671 expiration interval is defined in Section 4.9. 2673 If the signature length (in words) is non-zero, a signature type 2674 block will be present along with a signature block. Next is the 2675 signature block. The signature block includes the signature and the 2676 key (or a link to the key) used to generate the signature 2677 (Section 7.2). 2679 CFB [SP800-38A] mode is applied with a feedback length of 128-bits, a 2680 full cipher block, and the final block is truncated to match the 2681 exact length of the encrypted data. The CFB Initialization Vector is 2682 a 128 bit random nonce. The block cipher algorithm and the key size 2683 is the same as what was negotiated for the media encryption. CFB is 2684 used to encrypt the part of the Confirm1 message beginning after the 2685 CFB IV to the end of the message (the encrypted region is enclosed by 2686 "====" in Figure 10). 2688 The responder uses the zrtpkeyr to encrypt the Confirm1 message. The 2689 initiator uses the zrtpkeyi to encrypt the Confirm2 message. 2691 0 1 2 3 2692 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2693 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2694 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=variable | 2695 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2696 | Message Type Block="Confirm1" or "Confirm2" (2 words) | 2697 | | 2698 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2699 | HMAC (2 words) | 2700 | | 2701 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2702 | | 2703 | CFB Initialization Vector (4 words) | 2704 | | 2705 | | 2706 +===============================================================+ 2707 | | 2708 | Hash preimage H0 (8 words) | 2709 | . . . | 2710 | | 2711 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2712 | Unused (15 bits of zeros) | sig len (9 bits)|0 0 0 0|E|V|A|D| 2713 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2714 | cache expiration interval (1 word) | 2715 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2716 | optional signature type block (1 word if present) | 2717 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2718 | | 2719 | optional signature block (variable length) | 2720 | . . . | 2721 | | 2722 | | 2723 +===============================================================+ 2725 Figure 10: Confirm1 and Confirm2 message format 2727 5.8. Conf2ACK message 2729 The Conf2ACK message is sent by the Responder in response to a valid 2730 Confirm2 message. The message format for the Conf2ACK is shown in 2731 the Figure below. The receipt of a Conf2ACK stops retransmission of 2732 the Confirm2 message. Note that the first SRTP media (with a valid 2733 SRTP auth tag) from the responder also stops retransmission of the 2734 Confirm2 message. 2736 0 1 2 3 2737 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2738 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2739 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=3 words | 2740 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2741 | Message Type Block="Conf2ACK" (2 words) | 2742 | | 2743 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2745 Figure 11: Conf2ACK message format 2747 5.9. Error message 2749 The Error message is sent to terminate an in-process ZRTP key 2750 agreement exchange due to an error. The format is shown in the 2751 Figure below. The use of the Error message is described in 2752 Section 4.7.1. 2754 0 1 2 3 2755 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2756 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2757 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=4 words | 2758 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2759 | Message Type Block="Error " (2 words) | 2760 | | 2761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2762 | Integer Error Code (1 word) | 2763 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2765 Figure 12: Error message format 2767 Defined hexadecimal values for the Error Code are listed in the table 2768 below. 2770 Error Code | Meaning 2771 ----------------------------------------------------------- 2772 0x10 | Malformed packet (CRC OK, but wrong structure) 2773 ----------------------------------------------------------- 2774 0x20 | Critical software error 2775 ----------------------------------------------------------- 2776 0x30 | Unsupported ZRTP version 2777 ----------------------------------------------------------- 2778 0x40 | Hello components mismatch 2779 ----------------------------------------------------------- 2780 0x51 | Hash type not supported 2781 ----------------------------------------------------------- 2782 0x52 | Cipher type not supported 2783 ----------------------------------------------------------- 2784 0x53 | Public key exchange not supported 2785 ----------------------------------------------------------- 2786 0x54 | SRTP auth. tag not supported 2787 ----------------------------------------------------------- 2788 0x55 | SAS rendering scheme not supported 2789 ----------------------------------------------------------- 2790 0x56 | No shared secret available, DH mode required 2791 ----------------------------------------------------------- 2792 0x61 | DH Error: bad pvi or pvr ( == 1, 0, or p-1) 2793 ----------------------------------------------------------- 2794 0x62 | DH Error: hvi != hashed data 2795 ----------------------------------------------------------- 2796 0x63 | Received relayed SAS from untrusted MiTM 2797 ----------------------------------------------------------- 2798 0x70 | Auth. Error: Bad Confirm pkt HMAC 2799 ----------------------------------------------------------- 2800 0x80 | Nonce reuse 2801 ----------------------------------------------------------- 2802 0x90 | Equal ZIDs in Hello 2803 ----------------------------------------------------------- 2804 0xA0 | Service unavailable 2805 ----------------------------------------------------------- 2806 0xB0 | Protocol timeout error 2807 ----------------------------------------------------------- 2808 0x100 | GoClear message received, but not allowed 2809 ----------------------------------------------------------- 2811 Table 8. ZRTP Error Codes 2813 5.10. ErrorACK message 2815 The ErrorACK message is sent in response to an Error message. The 2816 receipt of an ErrorACK stops retransmission of the Error message. 2817 The format is shown in the Figure below. 2819 0 1 2 3 2820 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2821 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2822 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=3 words | 2823 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2824 | Message Type Block="ErrorACK" (2 words) | 2825 | | 2826 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2828 Figure 13: ErrorACK message format 2830 5.11. GoClear message 2832 Support for the GoClear message is OPTIONAL in the protocol, and it 2833 is sent to switch from SRTP to RTP. The format is shown in the 2834 Figure below. The clear_hmac is used to authenticate the GoClear 2835 message so that bogus GoClear messages introduced by an attacker can 2836 be detected and discarded. The use of GoClear is described in 2837 Section 4.7.2. 2839 0 1 2 3 2840 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2841 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2842 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=5 words | 2843 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2844 | Message Type Block="GoClear " (2 words) | 2845 | | 2846 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2847 | clear_hmac (2 words) | 2848 | | 2849 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2851 Figure 14: GoClear message format 2853 5.12. ClearACK message 2855 Support for the ClearACK message is OPTIONAL in the protocol, and it 2856 is sent to acknowledge receipt of a GoClear. A ClearACK is only sent 2857 if the clear_hmac from the GoClear message is authenticated. 2858 Otherwise, no response is returned. The format is shown in the 2859 Figure below. 2861 0 1 2 3 2862 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2863 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2864 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=3 words | 2865 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2866 | Message Type Block="ClearACK" (2 words) | 2867 | | 2868 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2870 Figure 15: ClearACK message format 2872 5.13. SASrelay message 2874 The SASrelay message is sent by a trusted Man in The Middle (MiTM), 2875 most often a PBX. It is not sent as a response to a packet, but is 2876 sent as a self-initiated packet by the trusted MiTM. It can only be 2877 sent after the rest of the ZRTP key negotiations have completed, 2878 after the Confirm messages and their ACKs. It can only be sent after 2879 the trusted MiTM has finished key negotiations with the other party, 2880 because it is the other party's SAS that is being relayed. It is 2881 sent with retry logic until a RelayACK message (Section 5.14) is 2882 received or the retry schedule has been exhausted. 2884 If a device, usually a PBX, sends an SASrelay message, it MUST have 2885 previously declared itself as a MiTM device by setting the MiTM (M) 2886 flag in the Hello message (Section 5.2). If the receiver of the 2887 SASrelay message did not previously receive a Hello message with the 2888 MiTM (M) flag set, the Relayed SAS SHOULD NOT be rendered. A 2889 RelayACK is still sent, but no Error message is sent. 2891 The SASrelay message format is shown in Figure 16 below. The message 2892 contains the Message Type Block "SASrelay". Next is the HMAC, a 2893 keyed hash over encrypted part of the message (shown enclosed by 2894 "====" in Figure 16). This HMAC is keyed the same way as the HMAC in 2895 the Confirm messages (see Section 4.6). The next 16 octets contain 2896 the CFB Initialization Vector. The rest of the message is encrypted 2897 using CFB and protected by the HMAC. 2899 The next 15 bits are not used and SHOULD be set to zero when sent and 2900 MUST be ignored when received in SASrelay messages. 2902 The next 9 bits contain the signature length. The trusted MiTM MAY 2903 compute a digital signature on the SAS hash, as described in 2904 Section 7.2, using a persistent signing key owned by the trusted 2905 MiTM. If no SAS signature is present, all bits are set to zero. The 2906 signature length is in words and includes the signature type block. 2907 If the calculated signature octet count is not a multiple of 4, zeros 2908 are added to pad it out to a word boundary. If no signature block is 2909 present, the overall length of the SASrelay Message will be set to 19 2910 words. 2912 The next 8 bits are used for flags. Undefined flags are set to zero 2913 and ignored. Three flags are currently defined. The Disclosure Flag 2914 (D) is a Boolean bit defined in Section 11. The Allow Clear flag (A) 2915 is a Boolean bit defined in Section 4.7.2. The SAS Verified flag (V) 2916 is a Boolean bit defined in Section 7.1. These flags are updated 2917 values to the same flags provided earlier in the Confirm message, but 2918 they are updated to reflect the new flag information relayed by the 2919 PBX from the other party. 2921 The next 32 bit word contains the SAS rendering scheme for the 2922 relayed sashash, which will be the same rendering scheme used by the 2923 other party on the other side of the trusted MiTM. Section 7.3 2924 describes how the PBX determines whether the ZRTP client regards the 2925 PBX as a trusted MiTM. If the PBX determines that the ZRTP client 2926 trusts the PBX, the next 8 words contain the sashash relayed from the 2927 other party. The first 32-bit word of the sashash contains the 2928 sasvalue, which may be rendered to the user using the specified SAS 2929 rendering scheme. If this SASrelay message is being sent to a ZRTP 2930 client that does not trust this MiTM, the sashash will be ignored by 2931 the recipient and should be set to zeros by the PBX. 2933 If the signature length (in words) is non-zero, a signature type 2934 block will be present along with a signature block. Next is the 2935 signature block. The signature block includes the signature and the 2936 key (or a link to the key) used to generate the signature 2937 (Section 7.2). 2939 CFB [SP800-38A] mode is applied with a feedback length of 128-bits, a 2940 full cipher block, and the final block is truncated to match the 2941 exact length of the encrypted data. The CFB Initialization Vector is 2942 a 128 bit random nonce. The block cipher algorithm and the key size 2943 is the same as what was negotiated for the media encryption. CFB is 2944 used to encrypt the part of the SASrelay message beginning after the 2945 CFB IV to the end of the message (the encrypted region is enclosed by 2946 "====" in Figure 16). 2948 Depending on whether the trusted MiTM had taken the role of the 2949 initiator or the responder during the ZRTP key negotiation, the 2950 SASrelay message is encrypted with zrtpkeyi or zrtpkeyr. 2952 0 1 2 3 2953 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2954 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2955 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=variable | 2956 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2957 | Message Type Block="SASrelay" (2 words) | 2958 | | 2959 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2960 | HMAC (2 words) | 2961 | | 2962 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2963 | | 2964 | CFB Initialization Vector (4 words) | 2965 | | 2966 | | 2967 +===============================================================+ 2968 | Unused (15 bits of zeros) | sig len (9 bits)|0 0 0 0|0|V|A|D| 2969 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2970 | rendering scheme of relayed SAS (1 word) | 2971 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2972 | | 2973 | Trusted MiTM relayed sashash (8 words) | 2974 | . . . | 2975 | | 2976 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2977 | optional signature type block (1 word if present) | 2978 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2979 | | 2980 | optional signature block (variable length) | 2981 | . . . | 2982 | | 2983 | | 2984 +===============================================================+ 2986 Figure 16: SASrelay message format 2988 5.14. RelayACK message 2990 The RelayACK message is sent in response to a valid SASrelay message. 2991 The message format for the RelayACK is shown in the Figure below. 2992 The receipt of a RelayACK stops retransmission of the SASrelay 2993 message. 2995 0 1 2 3 2996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2997 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2998 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=3 words | 2999 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3000 | Message Type Block="RelayACK" (2 words) | 3001 | | 3002 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3004 Figure 17: RelayACK message format 3006 5.15. Ping message 3008 The Ping and PingACK messages are unrelated to the rest of the ZRTP 3009 protocol. No ZRTP endpoint is required to generate a Ping message, 3010 but every ZRTP endpoint MUST respond to a Ping message with a PingACK 3011 message. 3013 Although Ping and PingACK messages have no effect on the rest of the 3014 ZRTP protocol, their inclusion in this specification simplifies the 3015 design of "bump-in-the-wire" ZRTP proxies (Section 10) (notably, 3016 Zfone [zfone]). It enables proxies to be designed that do not rely 3017 on assistance from the signaling layer to map out the associations 3018 between media streams and ZRTP endpoints. 3020 Before sending a ZRTP Hello message, a ZRTP proxy MAY send a Ping 3021 message as a means to sort out which RTP media streams are connected 3022 to particular ZRTP endpoints. Ping messages are generated only by 3023 ZRTP proxies. If neither party is a ZRTP proxy, no Ping messages 3024 will be encountered. Ping retransmission behavior is discussed in 3025 Section 6. 3027 The Ping message (Figure 18) contains an "EndpointHash", defined in 3028 Section 5.16. 3030 The Ping message contains a version number that defines what version 3031 of PingACK is requested. If that version number is supported by the 3032 Ping responder, a PingACK with a format that matches that version 3033 will be received. Otherwise, a PingACK with a lower version number 3034 may be received. 3036 0 1 2 3 3037 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3038 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3039 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=6 words | 3040 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3041 | Message Type Block="Ping " (2 words) | 3042 | | 3043 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3044 | version="1.10" (1 word) | 3045 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3046 | EndpointHash (2 words) | 3047 | | 3048 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3050 Figure 18: Ping message format 3052 5.16. PingACK message 3054 A PingACK message is sent only in response to a Ping. A ZRTP 3055 endpoint MUST respond to a Ping with a PingACK message. The version 3056 of PingACK requested is contained in the Ping message. If that 3057 version number is supported, a PingACK with a format that matches 3058 that version MUST be sent. Otherwise, if the version number of the 3059 Ping is not supported, a PingACK SHOULD be sent in the format of the 3060 highest supported version known to the Ping responder. Only version 3061 "1.10" is supported in this specification. 3063 The PingACK message carries its own 64-bit EndpointHash, distinct 3064 from the EndpointHash of the other party's Ping message. It is 3065 REQUIRED that it be highly improbable for two participants in a call 3066 to have the same EndpointHash, and that an EndpointHash maintains a 3067 persistent value between calls. For a normal ZRTP endpoint such as a 3068 ZRTP-enabled VoIP client, the EndpointHash can be just the truncated 3069 ZID. For a ZRTP endpoint such as a PBX that has multiple endpoints 3070 behind it, the EndpointHash must be a distinct value for each 3071 endpoint behind it. It is recommended that the EndpointHash be a 3072 truncated hash of the ZID of the ZRTP endpoint concatenated with 3073 something unique about the actual endpoint or phone behind the PBX. 3074 This may be the SIP URI of the phone, the PBX extension number, or 3075 the local IP address of the phone, whichever is more readily 3076 available in the application environment: 3078 o EndpointHash = hash(ZID || SIP URI of the endpoint) 3079 o EndpointHash = hash(ZID || PBX extension number of the endpoint) 3080 o EndpointHash = hash(ZID || local IP address of the endpoint) 3082 Any of these formulae confers uniqueness for the simple case of 3083 terminating the ZRTP connection at the VoIP client, or the more 3084 complex case of a PBX terminating the ZRTP connection for multiple 3085 VoIP phones in a conference call, all sharing the PBX's ZID, but with 3086 separate IP addresses behind the PBX. There is no requirement for 3087 the same hash function to be used by both parties. 3089 The PingACK message contains the EndpointHash of the sender of the 3090 PingACK as well as the EndpointHash of the sender of the Ping. The 3091 Source Identifier (SSRC) received in the ZRTP header from the Ping 3092 packet (Figure 2) is copied into the PingACK message body 3093 (Figure 19). This SSRC is not the SSRC of the sender of the PingACK. 3095 0 1 2 3 3096 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3097 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3098 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0| length=9 words | 3099 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3100 | Message Type Block="PingACK " (2 words) | 3101 | | 3102 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3103 | version="1.10" (1 word) | 3104 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3105 | EndpointHash of PingACK Sender (2 words) | 3106 | | 3107 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3108 | EndpointHash of Received Ping (2 words) | 3109 | | 3110 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3111 | Source Identifier (SSRC) of Received Ping (1 word) | 3112 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3114 Figure 19: PingACK message format 3116 6. Retransmissions 3118 ZRTP uses two retransmission timers T1 and T2. T1 is used for 3119 retransmission of Hello messages, when the support of ZRTP by the 3120 other endpoint may not be known. T2 is used in retransmissions of 3121 all the other ZRTP messages. 3123 All message retransmissions MUST be identical to the initial message 3124 including nonces, public values, etc; otherwise, hashes of the 3125 message sequences may not agree. 3127 Practical experience has shown that RTP packet loss at the start of 3128 an RTP session can be extremely high. Since the entire ZRTP message 3129 exchange occurs during this period, the defined retransmission scheme 3130 is defined to be aggressive. Since ZRTP packets with the exception 3131 of the DHPart1 and DHPart2 messages are small, this should have 3132 minimal effect on overall bandwidth utilization of the media session. 3134 ZRTP endpoints MUST NOT exceed the bandwidth of the resulting media 3135 session as determined by the offer/answer exchange in the signaling 3136 layer. 3138 The Ping message (Section 5.15) may follow the same retransmission 3139 schedule as the Hello message, but this is not required in this 3140 specification. Ping message retransmission is subject to 3141 application-specific ZRTP proxy heuristics. 3143 Hello ZRTP messages are retransmitted at an interval that starts at 3144 T1 seconds and doubles after every retransmission, capping at 200ms. 3145 T1 has a recommended initial value of 50 ms. A Hello message is 3146 retransmitted 20 times before giving up, which means the entire retry 3147 schedule for Hello messages is exhausted after 3.75 seconds (50 + 100 3148 + 18*200 ms). Retransmission of a Hello ends upon receipt of a 3149 HelloACK or Commit message. 3151 The post-Hello ZRTP messages are retransmitted only by the session 3152 initiator - that is, only Commit, DHPart2, and Confirm2 are 3153 retransmitted if the corresponding message from the responder, 3154 DHPart1, Confirm1, and Conf2ACK, are not received. Note that the 3155 Confirm2 message retransmission can also be stopped by receiving the 3156 first SRTP media (with a valid SRTP auth tag) from the responder. 3158 The GoClear, Error, and SASrelay messages may be initiated and 3159 retransmitted by either party, and responded to by the other party, 3160 regardless of which party is the overall session initiator. They are 3161 retransmitted if the corresponding response message ClearACK, 3162 ErrorACK, and RelayACK, are not received. 3164 Non-Hello (and non-Ping) ZRTP messages are retransmitted at an 3165 interval that starts at T2 seconds and doubles after every 3166 retransmission, capping at 1200ms. T2 has a recommended initial 3167 value of 150 ms. Each non-Hello message is retransmitted 10 times 3168 before giving up, which means the entire retry schedule is exhausted 3169 after 9.45 seconds (150 + 300 + 600 + 7*1200 ms). Only the initiator 3170 performs retransmissions. Each message has a response message that 3171 stops retransmissions, as shown below in Table 9. The higher values 3172 of T2 means that retransmissions will likely occur only in the event 3173 of packet loss. 3175 The retry schedule must handle not only packet loss, but also slow or 3176 heavily loaded peers that need additional time to perform their DH 3177 calculations. The following mitigations are recommended: 3179 o Slow or heavily loaded ZRTP endpoints that are at risk of taking 3180 too long to perform their DH calculation SHOULD use a HelloACK 3181 message instead of a Commit message to reply to a Hello from the 3182 other party. 3183 o If a ZRTP endpoint has evidence that the other party is a ZRTP 3184 endpoint, by receiving a Hello message or a ZRTP flag in the RTP 3185 header extension (Section 12) for incoming media, it SHOULD extend 3186 its own Hello retry schedule to span at least 12 seconds of 3187 retries. If this extended Hello retry schedule is exhausted 3188 without receiving a HelloACK or Commit message, a late Commit 3189 message from the peer SHOULD still be accepted. 3191 These recommended retransmission intervals are designed for a typical 3192 broadband Internet connection. In some high latency communication 3193 channels, such as those provided by some mobile phone environments or 3194 geostationary satellites, a different retransmission schedule may be 3195 used. The initial value for the T1 or T2 retransmission timer should 3196 be increased to be no less than the round trip time provided by the 3197 communications channel. It should take into account the time 3198 required to transmit the entire message and the entire reply, as well 3199 as a reasonable time estimate to perform the DH calculation. 3201 After receiving a Commit message, but before receiving a Confirm2 3202 message, if a ZRTP responder receives no ZRTP messages for more than 3203 10 seconds, the responder MAY send a protocol timeout Error message 3204 and terminate the ZRTP protocol. 3206 Message Acknowledgement Message 3207 ------- ----------------------- 3208 Hello HelloACK or Commit 3209 Commit DHPart1 or Confirm1 3210 DHPart2 Confirm1 3211 Confirm2 Conf2ACK or SRTP media 3212 GoClear ClearACK 3213 Error ErrorACK 3214 SASrelay RelayACK 3215 Ping PingACK 3217 Table 9. Retransmitted ZRTP Messages and Responses 3219 7. Short Authentication String 3221 This section will discuss the implementation of the Short 3222 Authentication String, or SAS in ZRTP. The SAS can be verbally 3223 compared by the human users reading the string aloud, or by 3224 validating an OPTIONAL digital signature (described in Section 7.2) 3225 exchanged in the Confirm1 or Confirm2 messages. 3227 The use of hash commitment in the DH exchange (Section 4.4.1.1) 3228 constrains the attacker to only one guess to generate the correct SAS 3229 in his attack, which means the SAS can be quite short. A 16-bit SAS, 3230 for example, provides the attacker only one chance out of 65536 of 3231 not being detected. 3233 There is only one SAS value computed per call. That is the SAS value 3234 for the first media stream established, which is calculated in 3235 Section 4.5.2. This SAS applies to all media streams for the same 3236 session. 3238 The SAS SHOULD be rendered to the user for authentication. The 3239 rendering of the SAS value through the user interface at both 3240 endpoints depends on the SAS Type agreed upon in the Commit message. 3241 See Section 5.1.6 for a description of how the SAS is rendered to the 3242 user. 3244 The SAS is not treated as a secret value, but it must be compared to 3245 see if it matches at both ends of the communications channel. The 3246 two users verbally compare it using their human voices, human ears, 3247 and human judgement. If it doesn't match, it indicates the presence 3248 of a man-in-the-middle (MiTM) attack. 3250 7.1. SAS Verified Flag 3252 The SAS Verified flag (V) is set based on the user indicating that 3253 SAS comparison has been successfully performed. The SAS Verified 3254 flag is exchanged securely in the Confirm1 and Confirm2 messages 3255 (Figure 10) of the next session. In other words, each party sends 3256 the SAS Verified flag from the previous session in the Confirm 3257 message of the current session. It is perfectly reasonable to have a 3258 ZRTP endpoint that never sets the SAS Verified flag, because it would 3259 require adding complexity to the user interface to allow the user to 3260 set it. The SAS Verified flag is not required to be set, but if it 3261 is available to the client software, it allows for the possibility 3262 that the client software could render to the user that the SAS verify 3263 procedure was carried out in a previous session. 3265 Regardless of whether there is a user interface element to allow the 3266 user to set the SAS Verified flag, it is worth caching a shared 3267 secret, because doing so reduces opportunities for an attacker in the 3268 next call. 3270 If at any time the users carry out the SAS comparison procedure, and 3271 it actually fails to match, then this means there is a very 3272 resourceful man-in-the-middle. If this is the first call, the MiTM 3273 was there on the first call, which is impressive enough. If it 3274 happens in a later call, it also means the MiTM must also know the 3275 cached shared secret, because you could not have carried out any 3276 voice traffic at all unless the session key was correctly computed 3277 and is also known to the attacker. This implies the MiTM must have 3278 been present in all the previous sessions, since the initial 3279 establishment of the first shared secret. This is indeed a 3280 resourceful attacker. It also means that if at any time he ceases 3281 his participation as a MiTM on one of your calls, the protocol will 3282 detect that the cached shared secret is no longer valid -- because it 3283 was really two different shared secrets all along, one of them 3284 between Alice and the attacker, and the other between the attacker 3285 and Bob. The continuity of the cached shared secrets make it possible 3286 for us to detect the MiTM when he inserts himself into the ongoing 3287 relationship, as well as when he leaves. Also, if the attacker tries 3288 to stay with a long lineage of calls, but fails to execute a DH MiTM 3289 attack for even one missed call, he is permanently excluded. He can 3290 no longer resynchronize with the chain of cached shared secrets. 3292 A user interface element (i.e. a checkbox or button) is needed to 3293 allow the user to tell the software the SAS verify was successful, 3294 causing the software to set the SAS Verified flag (V), which 3295 (together with our cached shared secret) obviates the need to perform 3296 the SAS procedure in the next call. An additional user interface 3297 element can be provided to let the user tell the software he detected 3298 an actual SAS mismatch, which indicates a MiTM attack. The software 3299 can then take appropriate action, clearing the SAS Verified flag, and 3300 erase the cached shared secret from this session. It is up to the 3301 implementer to decide if this added user interface complexity is 3302 warranted. 3304 If the SAS matches, it means there is no MiTM, which also implies it 3305 is now safe to trust a cached shared secret for later calls. If 3306 inattentive users don't bother to check the SAS, it means we don't 3307 know whether there is or is not a MiTM, so even if we do establish a 3308 new cached shared secret, there is a risk that our potential attacker 3309 may have a subsequent opportunity to continue inserting himself in 3310 the call, until we finally get around to checking the SAS. If the 3311 SAS matches, it means no attacker was present for any previous 3312 session since we started propagating cached shared secrets, because 3313 this session and all the previous sessions were also authenticated 3314 with a continuous lineage of shared secrets. 3316 7.2. Signing the SAS 3318 In most applications it is desirable to avoid the added complexity of 3319 a PKI-backed digital signature, which is why ZRTP is designed not to 3320 require it. Nonetheless, in some applications, it may be hard to 3321 arrange for two human users to verbally compare the SAS. Or an 3322 application may already be using an existing PKI and wants to use it 3323 to augment ZRTP. 3325 To handle these cases, ZRTP allows for an OPTIONAL signature feature, 3326 which allows the SAS to be checked without human participation. The 3327 SAS MAY be signed and the signature sent inside the Confirm1, 3328 Confirm2 (Figure 10), or SASrelay (Figure 16) messages. The 3329 signature type (Section 5.1.7), length of the signature and the key 3330 used to create the signature (or a link to it) are all sent along 3331 with the signature. The signature is calculated across the entire 3332 SAS hash result (sashash), from which the sasvalue was derived. The 3333 signatures exchanged in the encrypted Confirm1, Confirm2, or SASrelay 3334 messages MAY be used to authenticate the ZRTP exchange. 3336 Although the signature is sent, the material that is signed, the 3337 sashash, is not sent with it in the Confirm message, since both 3338 parties have already independently calculated the sashash. That is 3339 not the case for the SASrelay message, which must relay the sashash. 3341 To avoid unnecessary signature calculations, a signature SHOULD NOT 3342 be sent if the other ZRTP endpoint did not set the (S) flag in the 3343 Hello message (Section 5.2). 3345 Note that the choice of hash algorithm used in the digital signature 3346 is independent of the hash used in the sashash. The sashash is 3347 determined by the negotiated Hash Type (Section 5.1.2), while the 3348 hash used by the digital signature is separately defined by the 3349 digital signature algorithm. For example, the sashash may be based 3350 on SHA-256, while the digital signature might use SHA-384, if an 3351 ECDSA P-384 key is used. 3353 If the ZRTP key exchange is ECDH, and the SAS is signed, then the 3354 signature SHOULD be ECDSA, using the same size curve as the ECDH 3355 exchange. NSA Suite B ECDSA algorithms may be used with either 3356 OpenPGP-formatted keys, or X.509v3 certificates. 3358 7.2.1. OpenPGP Signatures 3360 If the SAS Signature Type (Section 5.1.7) specifies an OpenPGP 3361 signature ("PGP "), the signature-related fields are arranged as 3362 follows. 3364 The first field after the 4-octet Signature Type Block is the OpenPGP 3365 signature. The format of this signature and the algorithms that 3366 create it are specified by [RFC4880] or [I-D.jivsov-openpgp-ecc]. 3367 The signature is comprised of a complete OpenPGP version 4 signature 3368 in binary form (not Radix-64), as specified in RFC 4880, section 3369 5.2.3, enclosed in the full OpenPGP packet syntax. The length of the 3370 OpenPGP signature is parseable from the signature, and depends on the 3371 type and length of the signing key. 3373 If OpenPGP signatures are supported, an implementation SHOULD NOT 3374 generate signatures using any other signature algorithm except DSA or 3375 ECDSA, but MAY accept other signature types from the other party. 3376 DSA signatures with keys shorter than 2048 bits or longer than 3072 3377 bits MUST NOT be generated. An implementation MUST use only NIST- 3378 approved hash algorithms in signatures, and MUST NOT use SHA1 in the 3379 signature. NIST-approved hash algorithms are found in [FIPS-180-3] 3380 or its SHA-3 successor. ECDSA OpenPGP signatures are specified in 3381 [I-D.jivsov-openpgp-ecc]. Signatures with ECDSA keys larger than 3382 P-384 or smaller than P-224 SHOULD NOT be generated. 3384 RFC 4880 section 5.2.3.18 specifies a way to embed, in an OpenPGP 3385 signature, a URI of the preferred key server. The URI should be 3386 fully specified to obtain the public key of the signing key that 3387 created the signature. This URI MUST be present. 3389 It is up to the recipient of the signature to obtain the public key 3390 of the signing key and determine its validity status using the 3391 OpenPGP trust model discussed in [RFC4880]. 3393 The contents of Figure 20 lie inside the encrypted region of the 3394 Confirm message (Figure 10) or the SASrelay message (Figure 16). 3396 The total length of all the material in Figure 20, including the key 3397 server URI, must not exceed 511 32-bit words (2044 octets). This 3398 length, in words, is stored in the signature length field in the 3399 Confirm or SASrelay message containing the signature. It is 3400 desirable to avoid UDP fragmentation, so the URI should be kept 3401 short. 3403 0 1 2 3 3404 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3405 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3406 | Signature Type Block = "PGP " (1 word) | 3407 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3408 | | 3409 | OpenPGP signature | 3410 | (variable length) | 3411 | . . . | 3412 | | 3413 +===============================================================+ 3415 Figure 20: OpenPGP Signature format 3417 7.2.2. NSA Suite B Signatures with X.509v3 Certs 3419 If the SAS Signature Type (Section 5.1.7) is "X509", the NSA Suite B 3420 signature-related fields are arranged as follows. 3422 The first field after the 4-octet Signature Type Block is the DER 3423 encoded X.509v3 certificate (the signed public key) of the ECDSA 3424 signing key that created the signature. The format of this 3425 certificate is specified by the NSA's 3426 Suite B Base Certificate and CRL Profile [NSA-Suite-B-Cert]. 3428 Following the X.509v3 certificate at the next word boundary is the 3429 ECDSA signature itself. The size of this field depends on the size 3430 and type of the public key in the aforementioned certificate. The 3431 format of this signature and the algorithms that create it are 3432 specified by [FIPS-186-3]. The signature is comprised of the ECDSA 3433 signature output parameters (r, s) in binary form, concatenated, in 3434 network byte order, with no truncation of leading zeros. The first 3435 half of the signature is r and the second half is s. If ECDSA P-256 3436 is specified, the signature fills 16 words (64 octets), 32 octets 3437 each for r and s. If ECDSA P-384 is specified, the signature fills 3438 24 words (96 octets), 48 octets each for r and s. 3440 It is up to the recipient of the signature to use information in the 3441 certificate and path discovery mechanisms to trace the chain back to 3442 the root CA. It is recommended that end user certificates issued for 3443 secure telephony should contain appropriate path discovery links to 3444 facilitate this. 3446 Figure 21 shows a certificate and an NSA Suite B ECDSA signature. 3447 All this material lies inside the encrypted region of the Confirm 3448 message (Figure 10) or the SASrelay message (Figure 16). 3450 The total length of all the material in Figure 21, including the 3451 X.509v3 certificate, must not exceed 511 32-bit words (2044 octets). 3452 This length, in words, is stored in the signature length field in the 3453 Confirm or SASrelay message containing the signature. It is 3454 desirable to avoid UDP fragmentation, so the certificate material 3455 should be kept to a much smaller size than this. End user certs 3456 issued for this purpose should minimize the size of extraneous 3457 material such as legal notices. 3459 0 1 2 3 3460 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3462 | Signature Type Block = "X509" (1 word) | 3463 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3464 | | 3465 | Signing key's X.509v3 certificate | 3466 | (variable length) | 3467 | . . . | 3468 | | 3469 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3470 | | 3471 | ECDSA P-256 or P-384 signature | 3472 | (16 words or 24 words) | 3473 | . . . | 3474 | | 3475 +===============================================================+ 3477 Figure 21: X.509v3 NSA Suite B Signature format 3479 7.3. Relaying the SAS through a PBX 3481 ZRTP is designed to use end-to-end encryption. The two parties' 3482 verbal comparison of the short authentication string (SAS) depends on 3483 this assumption. But in some PBX environments, such as Asterisk, 3484 there are usage scenarios that have the PBX acting as a trusted man- 3485 in-the-middle (MiTM), which means there are two back-to-back ZRTP 3486 connections with separate session keys and separate SAS's. 3488 For example, imagine that Bob has a ZRTP-enabled VoIP phone that has 3489 been registered with his company's PBX, so that it is regarded as an 3490 extension of the PBX. Alice, whose phone is not associated with the 3491 PBX, might dial the PBX from the outside, and a ZRTP connection is 3492 negotiated between her phone and the PBX. She then selects Bob's 3493 extension from the company directory in the PBX. The PBX makes a 3494 call to Bob's phone (which might be offsite, many miles away from the 3495 PBX through the Internet) and a separate ZRTP connection is 3496 negotiated between the PBX and Bob's phone. The two ZRTP sessions 3497 have different session keys and different SAS's, which would render 3498 the SAS useless for verbal comparison between Alice and Bob. They 3499 might even mistakenly believe that a wiretapper is present because of 3500 the SAS mismatch, causing undue alarm. 3502 ZRTP has a mechanism for solving this problem by having the PBX relay 3503 the Alice/PBX SAS to Bob, sending it through to Bob in a special 3504 SASrelay message as defined in Section 5.13, which is sent after the 3505 PBX/Bob ZRTP negotiation is complete, after the Confirm messages. 3506 Only the PBX, acting as a special trusted MiTM (trusted by the 3507 recipient of the SASrelay message), will relay the SAS. The SASrelay 3508 message protects the relayed SAS from tampering via an included HMAC, 3509 similar to how the Confirm message is protected. Bob's ZRTP-enabled 3510 phone accepts the relayed SAS for rendering only because Bob's phone 3511 had previously been configured to trust the PBX. This special 3512 trusted relationship with the PBX can be established through a 3513 special security enrollment procedure. After that enrollment 3514 procedure, the PBX is treated by Bob as a special trusted MiTM. This 3515 results in Alice's SAS being rendered to Bob, so that Alice and Bob 3516 may verbally compare them and thus prevent a MiTM attack by any other 3517 untrusted MiTM. 3519 A real bad-guy MiTM cannot exploit this protocol feature to mount a 3520 MiTM attack and relay Alice's SAS to Bob, because Bob has not 3521 previously carried out a special registration ritual with the bad 3522 guy. The relayed SAS would not be rendered by Bob's phone, because 3523 it did not come from a trusted PBX. The recognition of the special 3524 trust relationship is achieved with the prior establishment of a 3525 special shared secret between Bob and his PBX, which is called 3526 pbxsecret (defined in Section 7.3.1), also known as the trusted MiTM 3527 key. 3529 The trusted MiTM key can be stored in a special cache at the time of 3530 the initial enrollment (which is carried out only once for Bob's 3531 phone), and Bob's phone associates this key with the ZID of the PBX, 3532 while the PBX associates it with the ZID of Bob's phone. After the 3533 enrollment has established and stored this trusted MiTM key, it can 3534 be detected during subsequent ZRTP session negotiations between the 3535 PBX and Bob's phone, because the PBX and the phone MUST pass the hash 3536 of the trusted MiTM key in the DH message. It is then used as part 3537 of the key agreement to calculate s0. 3539 The PBX can determine whether it is trusted by the ZRTP user agent of 3540 a phone. The presence of a shared trusted MiTM key in the key 3541 negotiation sequence indicates that the phone has been enrolled with 3542 this PBX and therefore trusts it to act as a trusted MiTM. During a 3543 key agreement with two other ZRTP endpoints, the PBX may have a 3544 shared trusted MiTM key with both endpoints, only one endpoint, or 3545 neither endpoint. If the PBX has a shared trusted MiTM key with 3546 neither endpoint, the PBX MUST NOT relay the SAS. If the PBX has a 3547 shared trusted MiTM key with only one endpoint, the PBX MUST relay 3548 the SAS from one party to the other by sending an SASrelay message to 3549 the endpoint with which it shares a trusted MiTM key. If the PBX has 3550 a shared trusted MiTM key with both endpoints, the PBX MUST relay the 3551 SAS to only one endpoint, not both endpoints. 3553 Note: In the case of sharing trusted MiTM key with both endpoints, 3554 it does not matter which endpoint receives the relayed SAS as long 3555 as only one endpoint receives it. 3557 The relayed SAS fields contain the SAS rendering type and the 3558 complete sashash. The receiver absolutely MUST NOT render the 3559 relayed SAS if it does not come from a specially trusted ZRTP 3560 endpoint. The security of the ZRTP protocol depends on not rendering 3561 a relayed SAS from an untrusted MiTM, because it may be relayed by a 3562 MiTM attacker. See the SASrelay message definition (Figure 16) for 3563 further details. 3565 To ensure that both Alice and Bob will use the same SAS rendering 3566 scheme after the keys are negotiated, the PBX also sends the SASrelay 3567 message to the unenrolled party (which does not regard this PBX as a 3568 trusted MiTM), conveying the SAS rendering scheme, but not the 3569 sashash, which it sets to zero. The unenrolled party will ignore the 3570 relayed SAS field, but will use the specified SAS rendering scheme. 3572 The next section describes the initial enrollment procedure that 3573 establishes a special shared secret between the PBX and Bob's phone, 3574 a trusted MiTM key, so that the phone will learn to recognize the PBX 3575 as a trusted MiTM. 3577 7.3.1. PBX Enrollment and the PBX Enrollment Flag 3579 Both the PBX and the endpoint need to know when enrollment is taking 3580 place. One way of doing this is to setup an enrollment extension on 3581 the PBX which a newly configured endpoint would call and establish a 3582 ZRTP session. The PBX would then play audio media that offers the 3583 user an opportunity to configure his phone to trust this PBX as a 3584 trusted MiTM. The PBX calculates and stores the trusted MiTM shared 3585 secret in its cache and associates it with this phone, indexed by the 3586 phone's ZID. The trusted MiTM PBX shared secret is derived from 3587 ZRTPSess via the ZRTP key derivation function (Section 4.5.1) in this 3588 manner: 3590 pbxsecret = KDF(ZRTPSess, "Trusted MiTM key", (ZIDi || ZIDr), 256) 3592 The pbxsecret is calculated for the whole ZRTP session, not for each 3593 stream within a session, thus the KDF Context field in this case does 3594 not include any stream-specific nonce material. 3596 The PBX signals the enrollment process by setting the PBX Enrollment 3597 flag (E) in the Confirm message (Figure 10). This flag is used to 3598 trigger the ZRTP endpoint's user interface to prompt the user if they 3599 want to trust this PBX and calculate and store the pbxsecret in the 3600 cache. If the user decides to respond by activating the appropriate 3601 user interface element (a menu item, checkbox, or button), his ZRTP 3602 user agent calculates pbxsecret using the same formula and saves it 3603 in a special cache entry associated with this PBX. 3605 During a PBX enrollment, the GoClear features are disabled. If the 3606 (E) flag is set by the PBX, the PBX MUST NOT set the Allow Clear (A) 3607 flag. Thus, (E) implies not (A). If a received Confirm message has 3608 the (E) flag set, the (A) flag MUST be disregarded and treated as 3609 false. 3611 If the user elects not to enroll, perhaps because he dialed a wrong 3612 number or does not yet feel comfortable with this PBX, he can simply 3613 hang up and not save the pbxsecret in his cache. The PBX will have 3614 it saved in the PBX cache, but that will do no harm. The SASrelay 3615 scheme does not depend on the PBX trusting the phone. It only 3616 depends on the phone trusting the PBX. It is the phone (the user) 3617 who is at risk if the PBX abuses its MiTM privileges. 3619 An endpoint MUST NOT store the pbxsecret in the cache without 3620 explicit user authorization. 3622 After this enrollment process, the PBX and the ZRTP-enabled phone 3623 both share a secret that enables the phone to recognize the PBX as a 3624 trusted MiTM in future calls. This means that when a future call 3625 from an outside ZRTP-enabled caller is relayed through the PBX to 3626 this phone, the phone will render a relayed SAS from the PBX. If the 3627 SASrelay message comes from a MiTM which does not know the pbxsecret, 3628 the phone treats it as a "bad guy" MiTM, and refuses to render the 3629 relayed SAS. Regardless of which party initiates any future phone 3630 calls through the PBX, the enrolled phone or the outside phone, the 3631 PBX will relay the SAS to the enrolled phone. 3633 There are other ways that ZRTP user agents can be configured to trust 3634 a PBX. Perhaps the pbxsecret can be configured into the phone by 3635 some automated provisioning process in large IT environments. This 3636 specification does not require that products be configured solely by 3637 this enrollment process. Any process that results in a pbxsecret to 3638 be computed and shared between the PBX and the phone will suffice. 3639 This is one such method that has been shown to work. 3641 8. Signaling Interactions 3643 This section discusses how ZRTP, SIP, and SDP work together. 3645 Note that ZRTP may be implemented without coupling with the SIP 3646 signaling. For example, ZRTP can be implemented as a "bump in the 3647 wire" or as a "bump in the stack" in which RTP sent by the SIP UA is 3648 converted to ZRTP. In these cases, the SIP UA will have no knowledge 3649 of ZRTP. As a result, the signaling path discovery mechanisms 3650 introduced in this section should not be definitive - they are a 3651 hint. Despite the absence of an indication of ZRTP support in an 3652 offer or answer, a ZRTP endpoint SHOULD still send Hello messages. 3654 ZRTP endpoints which have control over the signaling path include a 3655 ZRTP SDP attributes in their SDP offers and answers. The ZRTP 3656 attribute, a=zrtp-hash is used to indicate support for ZRTP and to 3657 convey a hash of the Hello message. The hash is computed according 3658 to Section 8.1. 3660 Aside from the advantages described in Section 8.1, there are a 3661 number of potential uses for this attribute. It is useful when 3662 signaling elements would like to know when ZRTP may be utilized by 3663 endpoints. It is also useful if endpoints support multiple methods 3664 of SRTP key management. The ZRTP attribute can be used to ensure 3665 that these key management approaches work together instead of against 3666 each other. For example, if only one endpoint supports ZRTP but both 3667 support another method to key SRTP, then the other method will be 3668 used instead. When used in parallel, an SRTP secret carried in an 3669 a=keymgt [RFC4567] or a=crypto [RFC4568] attribute can be used as a 3670 shared secret for the srtps computation defined in Section 8.2. The 3671 ZRTP attribute is also used to signal to an intermediary ZRTP device 3672 not to act as a ZRTP endpoint, as discussed in Section 10. 3674 The a=zrtp-hash attribute can only be included in the SDP at the 3675 media level since Hello messages sent in different media streams will 3676 have unique hashes. 3678 The ABNF for the ZRTP attribute is as follows: 3680 zrtp-attribute = "a=zrtp-hash:" zrtp-version zrtp-hash-value 3682 zrtp-version = token 3684 zrtp-hash-value = 1*(HEXDIG) 3686 Here's an example of the ZRTP attribute in an initial SDP offer or 3687 answer used at the media level, using the convention 3688 defined in RFC 4475, section 2.1 [RFC4475]: 3690 v=0 3691 o=bob 2890844527 2890844527 IN IP4 client.biloxi.example.com 3692 s= 3693 c=IN IP4 client.biloxi.example.com 3694 t=0 0 3695 m=audio 3456 RTP/AVP 97 33 3696 a=rtpmap:97 iLBC/8000 3697 a=rtpmap:33 no-op/8000 3698 3699 a=zrtp-hash:1.10 fe30efd02423cb054e50efd0248742ac7a52c8f91bc2 3700 df881ae642c371ba46df 3701 3703 A mechanism for carrying this same zrtp-hash information in the 3704 Jingle signaling protocol is defined in [XEP-0262]. 3706 8.1. Binding the media stream to the signaling layer via the Hello Hash 3708 Tying the media stream to the signaling channel can help prevent a 3709 third party from inserting false media packets. If the signaling 3710 layer contains information that ties it to the media stream, false 3711 media streams can be rejected. 3713 To accomplish this, the entire Hello message (Figure 3) is hashed, 3714 using the hash algorithm defined in Section 5.1.2.1. The ZRTP packet 3715 framing from Figure 2 is not included in the hash. The resulting 3716 hash image is made available without truncation to the signaling 3717 layer, where it is transmitted as a hexadecimal value in the SIP 3718 channel using the SDP attribute a=zrtp-hash, defined in this 3719 specification. Assuming Section 5.1.2.1 defines a 256-bit hash 3720 length, the a=zrtp-hash field in the SDP attribute carries 64 3721 hexidecimal digits. Each media stream (audio or video) will have a 3722 separate Hello message, and thus will require a separate a=zrtp-hash 3723 in an SDP attribute. The recipient of the SIP/SDP message can then 3724 use this hash image to detect and reject false Hello messages in the 3725 media channel, as well as identify which media stream is associated 3726 with this SIP call. Each Hello message hashes uniquely, because it 3727 contains the H3 field derived from a random nonce, defined in 3728 Section 9. 3730 The Hello Hash as an SDP attribute is not a REQUIRED feature, because 3731 some ZRTP endpoints do not have the ability to add SDP attributes to 3732 the signaling. For example, if ZRTP is implemented in a hardware 3733 bump-in-the-wire device, it might only have the ability to modify the 3734 media packets, not the SIP packets, especially if the SIP packets are 3735 integrity protected and thus cannot be modified on the wire. If the 3736 SDP has no hash image of the ZRTP Hello message, the recipient's ZRTP 3737 user agent cannot check it, and thus will not be able to reject Hello 3738 messages based on this hash. 3740 After the Hello Hash is used to properly identify the ZRTP Hello 3741 message as belonging to this particular SIP call, the rest of the 3742 ZRTP message sequence is protected from false packet injection by 3743 other protection mechanisms, such as the hash chaining mechanism 3744 defined in Section 9. 3746 An attacker who controls only the signaling layer, such as an 3747 uncooperative VoIP service provider, may be able to deny service by 3748 corrupting the hash of the Hello message in the SDP attribute, which 3749 would force ZRTP to reject perfectly good Hello messages. If there 3750 is reason to believe this is happening, the ZRTP endpoint MAY allow 3751 Hello messages to be accepted that do not match the hash image in the 3752 SDP attribute. 3754 Even in the absence of SIP integrity protection, the inclusion of the 3755 a=zrtp-hash SDP attribute, when coupled with the hash chaining 3756 mechanism defined in Section 9, meets the R-ASSOC requirement in the 3757 Media Security Requirements [RFC5479], which requires: 3759 "...a mechanism for associating key management messages with both 3760 the signaling traffic that initiated the session and with 3761 protected media traffic. Allowing such an association also allows 3762 the SDP offerer to avoid performing CPU-consuming operations 3763 (e.g., Diffie-Hellman or public key operations) with attackers 3764 that have not seen the signaling messages." 3766 The a=zrtp-hash SDP attribute becomes especially useful if the SDP is 3767 integrity-protected end-to-end by SIP Identity (RFC 4474) [RFC4474] 3768 or better still, Dan Wing's SIP Identity using Media Path 3769 [I-D.wing-sip-identity-media]. This leads to an ability to stop MiTM 3770 attacks independent of ZRTP's SAS mechanism, as explained in 3771 Section 8.1.1 below. 3773 8.1.1. Integrity-protected signaling enables integrity-protected DH 3774 exchange 3776 If and only if the signaling path and the SDP is protected by some 3777 form of end-to-end integrity protection, such as one of the 3778 abovementioned mechanisms, so that it can guarantee delivery of the 3779 a=zrtp-hash attribute without any tampering by a third party, and if 3780 there is good reason to trust the signaling layer to protect the 3781 interests of the end user, it is possible to authenticate the key 3782 exchange and prevent a MiTM attack. This can be done without 3783 requiring the users to verbally compare the SAS, by using the hash 3784 chaining mechanism defined in Section 9 to provide a series of HMAC 3785 keys that protect the entire ZRTP key exchange. Thus, an end-to-end 3786 integrity-protected signaling layer automatically enables an 3787 integrity-protected Diffie-Hellman exchange in ZRTP, which in turn 3788 means immunity from a MiTM attack. Here's how it works. 3790 The integrity-protected SIP SDP contains a hash commitment to the 3791 entire Hello message. The Hello message contains H3, which provides 3792 a hash commitment for the rest of the hash chain H0-H2 (Section 9). 3793 The Hello message is protected by a 64-bit HMAC, keyed by H2. The 3794 Commit message is protected by a 64-bit HMAC keyed by H1. The 3795 DHPart1 or DHPart2 messages are protected by a 64-bit HMAC keyed by 3796 H0. The HMAC protecting the Confirm messages are computed by a 3797 different HMAC key derived from the resulting key agreement. Each 3798 message's HMAC is checked when the HMAC key is received in the next 3799 message. If a bad HMAC is discovered, it MUST be treated as a 3800 security exception indicating a MiTM attack, perhaps by logging or 3801 alerting the user, and MUST NOT be treated as a random error. Random 3802 errors are already discovered and quietly rejected by bad CRCs 3803 (Figure 2). 3805 The Hello message must be assembled before any hash algorithms are 3806 negotiated, so an implicit predetermined hash algorithm and HMAC 3807 algorithm (both defined in Section 5.1.2.1) must be used. All of the 3808 aforementioned HMACs keyed by the hashes in the aforementioned hash 3809 chain MUST be computed with the HMAC algorithm defined in 3810 Section 5.1.2.1, with the HMAC truncated to 64 bits. 3812 The Media Security Requirements [RFC5479] R-EXISTING requirement can 3813 be fully met by leveraging a certificate-backed PKI in the signaling 3814 layer to integrity-protect the delivery of the a=zrtp-hash SDP 3815 attribute. This would thereby protect ZRTP against a MiTM attack, 3816 without requiring the user to check the SAS, without adding any 3817 explicit signatures or signature keys to the ZRTP key exchange, and 3818 without any extra public key operations or extra packets. 3820 Without an end-to-end integrity protection mechanism in the signaling 3821 layer to guarantee delivery of the a=zrtp-hash SDP attribute without 3822 modification by a third party, these HMACs alone will not prevent a 3823 MiTM attack. In that case, ZRTP's built-in SAS mechanism will still 3824 have to be used to authenticate the key exchange. At the time of 3825 this writing, very few deployed VoIP clients offer a fully 3826 implemented SIP stack that provides end-to-end integrity protection 3827 for the delivery of SDP attributes. Also, end-to-end signaling 3828 integrity becomes more problematic if E.164 numbers [RFC3824] are 3829 used in SIP. Thus, real-world implementations of ZRTP endpoints will 3830 continue to depend on SAS authentication for quite some time. Even 3831 after there is widespread availability of SIP user agents that offer 3832 integrity protected delivery of SDP attributes, many users will still 3833 be faced with the fact that the signaling path may be controlled by 3834 institutions that do not have the best interests of the end user in 3835 mind. In those cases, SAS authentication will remain the gold 3836 standard for the prudent user. 3838 Even without SIP integrity protection, the Media Security 3839 Requirements [RFC5479] R-ACT-ACT requirement can be met by ZRTP's SAS 3840 mechanism. Although ZRTP may benefit from an integrity-protected SIP 3841 layer, it is fortunate that ZRTP's self-contained MiTM defenses do 3842 not actually require an integrity-protected SIP layer. ZRTP can 3843 bypass the delays and problems that SIP integrity faces, such as 3844 E.164 number usage, and the complexity of building and maintaining a 3845 PKI. 3847 In contrast, DTLS-SRTP [I-D.ietf-avt-dtls-srtp] appears to depend 3848 heavily on end-to-end integrity protection in the SIP layer. 3849 Further, DTLS-SRTP must bear the additional cost of a signature 3850 calculation of its own, in addition to the signature calculation the 3851 SIP layer uses to achieve its integrity protection. ZRTP needs no 3852 signature calculation of its own to leverage the signature 3853 calculation carried out in the SIP layer. 3855 8.2. Deriving the SRTP secret (srtps) from the signaling layer 3857 The shared secret calculations defined in Section 4.3 make use of the 3858 SRTP secret (srtps), if it is provided by the signaling layer. 3860 It is desirable for only one SRTP key negotiation protocol to be 3861 used, and that protocol should be ZRTP. But in the event the 3862 signaling layer negotiates its own SRTP master key and salt, using 3863 the SDES [RFC4568] or [RFC4567], it can be passed from the signaling 3864 to the ZRTP layer and mixed into ZRTP's own shared secret 3865 calculations, without compromising security by creating a dependency 3866 on the signaling for media encryption. 3868 ZRTP computes srtps from the SRTP master key and salt parameters 3869 provided by the signaling layer in this manner, truncating the hash 3870 result to 256 bits: 3872 srtps = hash(SRTP master key || SRTP master salt) 3874 It is expected that the srtps parameter will be rarely computed or 3875 used in typical ZRTP endpoints, because it is likely and desirable 3876 that ZRTP will be the sole means of negotiating SRTP keys, needing no 3877 help from SDES [RFC4568] or [RFC4567]. If srtps is computed, it will 3878 be stored in the auxiliary shared secret auxsecret, defined in 3879 Section 4.3, and used in Section 4.3.1. 3881 8.3. Codec Selection for Secure Media 3883 Codec selection is negotiated in the signaling layer. If the 3884 signaling layer determines that ZRTP is supported by both endpoints, 3885 this should provide guidance in codec selection to avoid variable 3886 bit-rate (VBR) codecs that leak information. 3888 When voice is compressed with a VBR codec, the packet lengths vary 3889 depending on the types of sounds being compressed. This leaks a lot 3890 of information about the content even if the packets are encrypted, 3891 regardless of what encryption protocol is used [Wright1]. It is 3892 RECOMMENDED that VBR codecs be avoided in encrypted calls. It is not 3893 a problem if the codec adapts the bit rate to the available channel 3894 bandwidth. The vulnerable codecs are the ones that change their bit 3895 rate depending on the type of sound being compressed. 3897 It also appears that voice activity detection (VAD) leaks information 3898 about the content of the conversation, but to a lesser extent than 3899 VBR. This effect can be mitigated by lengthening the VAD hangover 3900 time by a random amount between 1 to 2 seconds, if this is feasible 3901 in your application. Only short bursts of speech would benefit from 3902 lengthening the VAD hangover time. This is a topic that needs 3903 further study. 3905 9. False ZRTP Packet Rejection 3907 An attacker who is not in the media path may attempt to inject false 3908 ZRTP protocol packets, possibly to effect a denial of service attack, 3909 or to inject his own media stream into the call. VoIP by its nature 3910 invites various forms of denial of service attacks and requires 3911 protocol features to reject such attacks. While bogus SRTP packets 3912 may be easily rejected via the SRTP auth tag field, that can only be 3913 applied after a key agreement is completed. During the ZRTP key 3914 negotiation phase, other false packet rejection mechanisms are 3915 needed. One such mechanism is the use of the total_hash in the final 3916 shared secret calculation, but that can only detect false packets 3917 after performing the computationally expensive Diffie-Hellman 3918 calculation. 3920 A lot of work has been done on the analysis of denial of service 3921 attacks, especially from attackers who are not in the media path. 3922 Such an attacker might inject false ZRTP packets to force a ZRTP 3923 endpoint to engage in an endless series of pointless and expensive DH 3924 calculations. To detect and reject false packets cheaply and rapidly 3925 as soon as they are received, ZRTP uses a hash chain, which is a 3926 series of successive hash images. Before each session, the following 3927 values are computed: 3929 H0 = 256-bit random nonce (different for each party) 3930 H1 = hash (H0) 3931 H2 = hash (H1) 3932 H3 = hash (H2) 3934 The hash chain MUST use the hash algorithm defined in 3935 Section 5.1.2.1, truncated to 256 bits. Each 256-bit hash image is 3936 the preimage of the next, and the sequence of images is sent in 3937 reverse order in the ZRTP packet sequence. The hash image H3 is sent 3938 in the Hello message, H2 is sent in the Commit message, H1 is sent in 3939 the DHPart1 or DHPart2 messages, and H0 is sent in the Confirm1 or 3940 Confirm2 messages. The initial random H0 nonces that each party 3941 generates MUST be unpredictable to an attacker and unique within a 3942 ZRTP session, which thereby forces the derived hash images H1-H3 to 3943 also be unique and unpredictable. 3945 The recipient checks if the packet has the correct hash preimage, by 3946 hashing it and comparing the result with the hash image for the 3947 preceding packet. Packets which contain an incorrect hash preimage 3948 MUST NOT be used by the recipient, but MAY be processed as security 3949 exceptions, perhaps by logging or alerting the user. As long as 3950 these bogus packets are not used, and correct packets are still being 3951 received, the protocol SHOULD be allowed to run to completion, 3952 thereby rendering ineffective this denial of service attack. 3954 Note that since H2 is sent in the Commit message, and the initiator 3955 does not receive a Commit message, the initiator computes the 3956 responder's missing H2 by hashing the responder's H1. An analogous 3957 interpolation is performed by both parties to handle the skipped 3958 DHPart1 and DHPart2 messages in Preshared (Section 3.1.2) or 3959 Multistream (Section 3.1.3) modes. 3961 Because these hash images alone do not protect the rest of the 3962 contents of the packet they reside in, this scheme assumes the 3963 attacker cannot modify the packet contents from a legitimate party, 3964 which is a reasonable assumption for an attacker who is not in the 3965 media path. This covers an important range of denial-of-service 3966 attacks. For dealing with the remaining set of attacks that involve 3967 packet modification, other mechanisms are used, such as the 3968 total_hash in the final shared secret calculation, and the hash 3969 commitment in the Commit message. 3971 Hello messages injected by an attacker may be detected and rejected 3972 by the mechanism defined in Section 8.1. This mechanism requires 3973 that each Hello message be unique, and the inclusion of the H3 hash 3974 image meets that requirement. 3976 If and only if an integrity-protected signaling channel is available, 3977 this hash chaining scheme can be used to key HMACs to authenticate 3978 the entire ZRTP key exchange, and thereby prevent a MiTM attack, 3979 without relying on the users verbally comparing the SAS. See 3980 Section 8.1.1 for details. 3982 Some ZRTP user agents allow the user to manually switch to clear mode 3983 (via the GoClear message) in the middle of a secure call, and then 3984 later initiate secure mode again. Many consumer client products will 3985 omit this feature, but those that allow it may return to secure mode 3986 again in the same media stream. Although the same chain of hash 3987 images will be re-used and thus rendered ineffective the second time, 3988 no real harm is done because the new SRTP session keys will be 3989 derived in part from a cached shared secret, which was safely 3990 protected from the MiTM in the previous DH exchange earlier in the 3991 same session. 3993 10. Intermediary ZRTP Devices 3995 This section discusses the operation of a ZRTP endpoint which is 3996 actually an intermediary. For example, consider a device which 3997 proxies both signaling and media between endpoints. There are three 3998 possible ways in which such a device could support ZRTP. 4000 An intermediary device can act transparently to the ZRTP protocol. 4001 To do this, a device MUST pass RTP header extensions and payloads (to 4002 allow the ZRTP Flag) and non-RTP protocols multiplexed on the same 4003 port as RTP (to allow ZRTP and STUN). This is the RECOMMENDED 4004 behavior for intermediaries as ZRTP and SRTP are best when done end- 4005 to-end. 4007 An intermediary device could implement the ZRTP protocol and act as a 4008 ZRTP endpoint on behalf of non-ZRTP endpoints behind the intermediary 4009 device. The intermediary could determine on a call-by-call basis 4010 whether the endpoint behind it supports ZRTP based on the presence or 4011 absence of the ZRTP SDP attribute flag (a=zrtp-hash). For non-ZRTP 4012 endpoints, the intermediary device could act as the ZRTP endpoint 4013 using its own ZID and cache. This approach SHOULD only be used when 4014 there is some other security method protecting the confidentiality of 4015 the media between the intermediary and the inside endpoint, such as 4016 IPSec or physical security. 4018 The third mode, which is NOT RECOMMENDED, is for the intermediary 4019 device to attempt to back-to-back the ZRTP protocol. The only 4020 exception to this case is where the intermediary device is a trusted 4021 element providing services to one of the endpoints - e.g. a Private 4022 Branch Exchange or PBX. In this mode, the intermediary would attempt 4023 to act as a ZRTP endpoint towards both endpoints of the media 4024 session. This approach MUST NOT be used except as described in 4025 Section 7.3 as it will always result in a detected man-in-the-middle 4026 attack and will generate alarms on both endpoints and likely result 4027 in the immediate termination of the session. 4029 In cases where centralized media mixing is taking place, the SAS will 4030 not match when compared by the humans. However, this situation is 4031 known in the SIP signaling by the presence of the isfocus feature tag 4032 [RFC4579]. As a result, when the isfocus feature tag is present, the 4033 DH exchange can be authenticated by the mechanism defined in 4034 Section 8.1.1 or by validating signatures (Section 7.2) in the 4035 Confirm or SASrelay messages. For example, consider a audio 4036 conference call with three participants Alice, Bob, and Carol hosted 4037 on a conference bridge in Dallas. There will be three ZRTP encrypted 4038 media streams, one encrypted stream between each participant and 4039 Dallas. Each will have a different SAS. Each participant will be 4040 able to validate their SAS with the conference bridge by using 4041 signatures optionally present in the Confirm messages (described in 4042 Section 7.2). Or, if the signaling path has end-to-end integrity 4043 protection, each DH exchange will have automatic MiTM protection by 4044 using the mechanism in Section 8.1.1. 4046 SIP feature tags can also be used to detect if a session is 4047 established with an automaton such as an IVR, voicemail system, or 4048 speech recognition system. The display of SAS strings to users 4049 should be disabled in these cases. 4051 It is possible that an intermediary device acting as a ZRTP endpoint 4052 might still receive ZRTP Hello and other messages from the inside 4053 endpoint. This could occur if there is another inline ZRTP device 4054 which does not include the ZRTP SDP attribute flag. An intermediary 4055 acting as a ZRTP endpoint receiving ZRTP Hello and other messages 4056 from the inside endpoint MUST NOT pass these ZRTP messages. 4058 11. The ZRTP Disclosure flag 4060 There are no back doors defined in the ZRTP protocol specification. 4061 The designers of ZRTP would like to discourage back doors in ZRTP- 4062 enabled products. However, despite the lack of back doors in the 4063 actual ZRTP protocol, it must be recognized that a ZRTP implementer 4064 might still deliberately create a rogue ZRTP-enabled product that 4065 implements a back door outside the scope of the ZRTP protocol. For 4066 example, they could create a product that discloses the SRTP session 4067 key generated using ZRTP out-of-band to a third party. They may even 4068 have a legitimate business reason to do this for some customers. 4070 For example, some environments have a need to monitor or record 4071 calls, such as stock brokerage houses who want to discourage insider 4072 trading, or special high security environments with special needs to 4073 monitor their own phone calls. We've all experienced automated 4074 messages telling us that "This call may be monitored for quality 4075 assurance". A ZRTP endpoint in such an environment might 4076 unilaterally disclose the session key to someone monitoring the call. 4077 ZRTP-enabled products that perform such out-of-band disclosures of 4078 the session key can undermine public confidence in the ZRTP protocol, 4079 unless we do everything we can in the protocol to alert the other 4080 user that this is happening. 4082 If one of the parties is using a product that is designed to disclose 4083 their session key, ZRTP requires them to confess this fact to the 4084 other party through a protocol message to the other party's ZRTP 4085 client, which can properly alert that user, perhaps by rendering it 4086 in a graphical user interface. The disclosing party does this by 4087 sending a Disclosure flag (D) in Confirm1 and Confirm2 messages as 4088 described in Section 5.7. 4090 Note that the intention here is to have the Disclosure flag identify 4091 products that are designed to disclose their session keys, not to 4092 identify which particular calls are compromised on a call-by-call 4093 basis. This is an important legal distinction, because most 4094 government sanctioned wiretap regulations require a VoIP service 4095 provider to not reveal which particular calls are wiretapped. But 4096 there is nothing illegal about revealing that a product is designed 4097 to be wiretap-friendly. The ZRTP protocol mandates that such a 4098 product "out" itself. 4100 You might be using a ZRTP-enabled product with no back doors, but if 4101 your own graphical user interface tells you the call is (mostly) 4102 secure, except that the other party is using a product that is 4103 designed in such a way that it may have disclosed the session key for 4104 monitoring purposes, you might ask him what brand of secure telephone 4105 he is using, and make a mental note not to purchase that brand 4106 yourself. If we create a protocol environment that requires such 4107 back-doored phones to confess their nature, word will spread quickly, 4108 and the "invisible hand" of the free market will act. The free 4109 market has effectively dealt with this in the past. 4111 Of course, a ZRTP implementer can lie about his product having a back 4112 door, but the ZRTP standard mandates that ZRTP-compliant products 4113 MUST adhere to the requirement that a back door be confessed by 4114 sending the Disclosure flag to the other party. 4116 There will be inevitable comparisons to Steve Bellovin's 2003 April 4117 fool's joke, when he submitted RFC 3514 [RFC3514] which defined the 4118 "Evil bit" in the IPV4 header, for packets with "evil intent". But 4119 we submit that a similar idea can actually have some merit for 4120 securing VoIP. Sure, one can always imagine that some implementer 4121 will not be fazed by the rules and will lie, but they would have lied 4122 anyway even without the Disclosure flag. There are good reasons to 4123 believe that it will improve the overall percentage of 4124 implementations that at least tell us if they put a back door in 4125 their products, and may even get some of them to decide not to put in 4126 a back door at all. From a civic hygiene perspective, we are better 4127 off with having the Disclosure flag in the protocol. 4129 If an endpoint stores or logs SRTP keys or information that can be 4130 used to reconstruct or recover SRTP keys after they are no longer in 4131 use (i.e. the session is active), or otherwise discloses or passes 4132 SRTP keys or information that can be used to reconstruct or recover 4133 SRTP keys to another application or device, the Disclosure flag D 4134 MUST be set in the Confirm1 or Confirm2 message. 4136 11.1. Guidelines on Proper Implementation of the Disclosure Flag 4138 Some implementers have asked for guidance on implementing the 4139 Disclosure Flag. Some people have incorrectly thought that a 4140 connection secured with ZRTP cannot be used in a call center, with 4141 voluntary voice recording, or even with a voicemail system. 4142 Similarly, some potential users of ZRTP have over considered the 4143 protection that ZRTP can give them. These guidelines clarify both 4144 concerns. 4146 The ZRTP Disclosure Flag only governs the ZRTP/SRTP stream itself. 4147 It does not govern the underlying RTP media stream, nor the actual 4148 media itself. Consequently, a PBX that uses ZRTP may provide 4149 conference calls, call monitoring, call recording, voicemail, or 4150 other PBX features and still say that it does not disclose the ZRTP 4151 key material. A video system may provide DVR features and still say 4152 that it does not disclose the ZRTP key material. The ZRTP Disclosure 4153 Flag, when not set, means only that the ZRTP cryptographic key 4154 material stays within the bounds of the ZRTP subsystem. 4156 If an application has a need to disclose the ZRTP cryptographic key 4157 material, the easiest way to comply with the protocol is to set the 4158 flag to the proper value. The next easiest way is to overestimate 4159 disclosure. For example, a call center that commonly records calls 4160 might choose to set the disclosure flag even though all recording is 4161 an analog recording of a call (and thus outside the ZRTP scope) 4162 because it sets an expectation with clients that their calls might be 4163 recorded. 4165 Note also that the ZRTP Disclosure Flag does not require an 4166 implementation to preclude hacking or malware. Malware that leaks 4167 ZRTP cryptographic key material does not create a liability for the 4168 implementor from non-compliance with the ZRTP specification. 4170 A user of ZRTP should note that ZRTP is not a panacea against 4171 unauthorized recording. ZRTP does not and cannot protect against an 4172 untrustworthy partner who holds a microphone up to the speaker. It 4173 does not protect against someone else being in the room. It does not 4174 protect against analog wiretaps in the phone or in the room. It does 4175 not mean your partner has not been hacked with spyware. It does not 4176 mean that the software has no flaws. It means that the ZRTP 4177 subsystem is not knowingly leaking ZRTP cryptographic key material. 4179 12. RTP Header Extension Flag for ZRTP 4181 This specification defines a new RTP header extension used only for 4182 discovery of support for ZRTP. No ZRTP data is transported in the 4183 extension. When used, the X bit is set in the RTP header to indicate 4184 the presence of the RTP header extension. 4186 In RFC 3550, section 5.3.1 [RFC3550], the format of an RTP Header 4187 extension is defined. The Header extension is appended to the RTP 4188 header. The first 16 bits are an identifier for the header 4189 extension, and the following 16 bits are the length of the extension 4190 header in 32 bit words. The ZRTP flag RTP header extension has the 4191 value of 0x505A and a length of 0. The format of the header 4192 extension is as shown in the Figure below. 4194 0 1 2 3 4195 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4196 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4197 |0 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0|0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0| 4198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4200 Figure 22: RTP Extension header format for ZRTP Flag 4202 ZRTP endpoints SHOULD include the ZRTP Flag in RTP packets sent at 4203 the start of a session, for at least the first 50 RTP packets sent. 4204 The inclusion of the flag MAY be ended if a ZRTP message (such as 4205 Hello) is received. 4207 13. IANA Considerations 4209 This specification defines a new SDP [RFC4566] attribute in 4210 Section 8. 4212 Contact name: Philip Zimmermann 4214 Attribute name: "zrtp-hash". 4216 Type of attribute: Media level. 4218 Subject to charset: Not. 4220 Purpose of attribute: The 'zrtp-hash' indicates that a UA supports 4221 the ZRTP protocol and provides a hash of the 4222 ZRTP Hello message. The ZRTP protocol 4223 version number is also specified. 4225 Allowed attribute values: Hex. 4227 14. Appendix - Media Security Requirements 4229 This section discuses how ZRTP meets all RTP security requirements 4230 discussed in the Media Security Requirements [RFC5479] document 4231 without any dependencies on other protocols or extensions, unlike 4232 DTLS-SRTP [I-D.ietf-avt-dtls-srtp] which requires additional 4233 protocols and mechanisms. 4235 R-FORK-RETARGET is met since ZRTP is a media path key agreement 4236 protocol. 4238 R-DISTINCT is met since ZRTP uses ZIDs and allows multiple 4239 independent ZRTP exchanges to proceed. 4241 R-HERFP is met since ZRTP is a media path key agreement protocol. 4243 R-REUSE is met using the Multistream and Preshared modes. 4245 R-AVOID-CLIPPING is met since ZRTP is a media path key agreement 4246 protocol. 4248 R-RTP-CHECK is met since the ZRTP packet format does not pass the 4249 RTP validity check. 4251 R-ASSOC is met using the a=zrtp-hash SDP attribute in INVITEs and 4252 responses (Section 8.1). 4254 R-NEGOTIATE is met using the Commit message. 4256 R-PSTN is met since ZRTP can be implemented in Gateways. 4258 R-PFS is met using ZRTP Diffie-Hellman key agreement methods. 4260 R-COMPUTE is met using the Hello/Commit ZRTP exchange. 4262 R-CERTS is met using the verbal comparison of the SAS. 4264 R-FIPS is met since ZRTP uses only FIPS-approved algorithms in all 4265 relevant categories. To meet the FIPS-140 validation requirements 4266 set by NIST FIPS PUB 140-2 Annex A [FIPS-140-2-Annex-A] and NIST 4267 FIPS PUB 140-2 Annex D [FIPS-140-2-Annex-D], ZRTP is compliant 4268 with NIST SP 800-56A [SP800-56A], NIST SP 800-108 [SP800-108], 4269 NIST FIPS PUB 198-1 [FIPS-198-1], NIST FIPS PUB 180-3 4270 [FIPS-180-3], NIST SP 800-38A [SP800-38A], NIST FIPS PUB 197 4271 [FIPS-197], and NSA Suite B [NSA-Suite-B]. 4273 R-DOS is met since ZRTP does not introduce any new denial of 4274 service attacks. 4276 R-EXISTING is met since ZRTP can support the use of certificates 4277 or keys. 4279 R-AGILITY is met since the set of hash, cipher, authentication tag 4280 length, key agreement method, SAS type, and signature type can all 4281 be extended and negotiated. 4283 R-DOWNGRADE is met since ZRTP has protection against downgrade 4284 attacks. 4286 R-PASS-MEDIA is met since ZRTP prevents a passive adversary with 4287 access to the media path from gaining access to keying material 4288 used to protect SRTP media packets. 4290 R-PASS-SIG is met since ZRTP prevents a passive adversary with 4291 access to the signaling path from gaining access to keying 4292 material used to protect SRTP media packets. 4294 R-SIG-MEDIA is met using the a=zrtp-hash SDP attribute in INVITEs 4295 and responses. 4297 R-ID-BINDING is met using the a=zrtp-hash SDP attribute 4298 (Section 8.1). 4300 R-ACT-ACT is met using the a=zrtp-hash SDP attribute in INVITEs 4301 and responses. 4303 R-BEST-SECURE is met since ZRTP utilizes the RTP/AVP profile and 4304 hence best effort SRTP in every case. 4306 R-OTHER-SIGNALING is met since ZRTP can utilize modes in which 4307 there is no dependency on the signaling path. 4309 R-RECORDING is met using the ZRTP Disclosure flag. 4311 R-TRANSCODER is met if the transcoder operates as a trusted MitM 4312 (i.e. a PBX). 4314 R-ALLOW-RTP is met due to ZRTP's best effort encryption. 4316 15. Security Considerations 4318 This document is all about securely keying SRTP sessions. As such, 4319 security is discussed in every section. 4321 Most secure phones rely on a Diffie-Hellman exchange to agree on a 4322 common session key. But since DH is susceptible to a man-in-the- 4323 middle (MiTM) attack, it is common practice to provide a way to 4324 authenticate the DH exchange. In some military systems, this is done 4325 by depending on digital signatures backed by a centrally-managed PKI. 4326 A decade of industry experience has shown that deploying centrally 4327 managed PKIs can be a painful and often futile experience. PKIs are 4328 just too messy, and require too much activation energy to get them 4329 started. Setting up a PKI requires somebody to run it, which is not 4330 practical for an equipment provider. A service provider like a 4331 carrier might venture down this path, but even then you have to deal 4332 with cross-carrier authentication, certificate revocation lists, and 4333 other complexities. It is much simpler to avoid PKIs altogether, 4334 especially when developing secure commercial products. It is 4335 therefore more common for commercial secure phones in the PSTN world 4336 to augment the DH exchange with a Short Authentication String (SAS) 4337 combined with a hash commitment at the start of the key exchange, to 4338 shorten the length of SAS material that must be read aloud. No PKI 4339 is required for this approach to authenticating the DH exchange. The 4340 AT&T TSD 3600, Eric Blossom's COMSEC secure phones [comsec], PGPfone 4341 [pgpfone], and CryptoPhone [cryptophone] are all examples of products 4342 that took this simpler lightweight approach. 4344 The main problem with this approach is inattentive users who may not 4345 execute the voice authentication procedure, or unattended secure 4346 phone calls to answering machines that cannot execute it. 4348 Additionally, some people worry about voice spoofing. But it is a 4349 mistake to think this is simply an exercise in voice impersonation 4350 (perhaps this could be called the "Rich Little" attack). Although 4351 there are digital signal processing techniques for changing a 4352 person's voice, that does not mean a man-in-the-middle attacker can 4353 safely break into a phone conversation and inject his own short 4354 authentication string (SAS) at just the right moment. He doesn't 4355 know exactly when or in what manner the users will choose to read 4356 aloud the SAS, or in what context they will bring it up or say it, or 4357 even which of the two speakers will say it, or if indeed they both 4358 will say it. In addition, some methods of rendering the SAS involve 4359 using a list of words such as the PGP word list[Juola2], in a manner 4360 analogous to how pilots use the NATO phonetic alphabet to convey 4361 information. This can make it even more complicated for the 4362 attacker, because these words can be worked into the conversation in 4363 unpredictable ways. Remember that the attacker places a very high 4364 value on not being detected, and if he makes a mistake, he doesn't 4365 get to do it over. Some people have raised the question that even if 4366 the attacker lacks voice impersonation capabilities, it may be unsafe 4367 for people who don't know each other's voices to depend on the SAS 4368 procedure. This is not as much of a problem as it seems, because it 4369 isn't necessary that they recognize each other by their voice, it is 4370 only necessary that they detect that the voice used for the SAS 4371 procedure matches the voice in the rest of the phone conversation. 4373 A popular and field-proven approach is used by SSH (Secure Shell) 4374 [RFC4251], which Peter Gutmann likes to call the "baby duck" security 4375 model. SSH establishes a relationship by exchanging public keys in 4376 the initial session, when we assume no attacker is present, and this 4377 makes it possible to authenticate all subsequent sessions. A 4378 successful MiTM attacker has to have been present in all sessions all 4379 the way back to the first one, which is assumed to be difficult for 4380 the attacker. ZRTP's key continuity features are actually better 4381 than SSH, at least for VoIP, for reasons described in Section 15.1. 4382 All this is accomplished without resorting to a centrally-managed 4383 PKI. 4385 We use an analogous baby duck security model to authenticate the DH 4386 exchange in ZRTP. We don't need to exchange persistent public keys, 4387 we can simply cache a shared secret and re-use it to authenticate a 4388 long series of DH exchanges for secure phone calls over a long period 4389 of time. If we read aloud just one SAS, and then cache a shared 4390 secret for later calls to use for authentication, no new voice 4391 authentication rituals need to be executed. We just have to remember 4392 we did one already. 4394 If one party ever loses this cached shared secret, it is no longer 4395 available for authentication of DH exchanges. This cache mismatch 4396 situation is easy to detect by the party that still has a surviving 4397 shared secret cache entry. If it fails to match, either there is a 4398 MiTM attack or one side has lost their shared secret cache entry. 4399 The user agent that discovers the cache mismatch must alert the user 4400 that a cache mismatch has been detected, and that he must do a verbal 4401 comparison of the SAS to distinguish if the mismatch is because of a 4402 MiTM attack or because of the other party losing her cache. From 4403 that point on, the two parties start over with a new cached shared 4404 secret. Then they can go back to omitting the voice authentication 4405 on later calls. 4407 A particularly compelling reason why this approach is attractive is 4408 that SAS is easiest to implement when a graphical user interface or 4409 some sort of display is available, which raises the question of what 4410 to do when a display is less conveniently available. For example, 4411 some devices that implement ZRTP might have a graphical user 4412 interface that is only visible through a web browser, such as a PBX 4413 or some other nearby device that implements ZRTP as a "bump-in-the- 4414 wire". If we take an approach that greatly reduces the need for a 4415 SAS in each and every call, we can operate in products without a 4416 graphical user interface with greater ease. Then the SAS can be 4417 compared less frequently through a web browser, or it might even be 4418 presented as needed to the local user through a locally generated 4419 voice prompt, which the local user hears and verbally repeats and 4420 compares with the remote party. Using a voice prompt in this way is 4421 purely for the local ZRTP user agent to render the SAS to the local 4422 user, and is not to be confused with the verbal comparison of the SAS 4423 between two human users. 4425 It is a good idea to force your opponent to have to solve multiple 4426 problems in order to mount a successful attack. Some examples of 4427 widely differing problems we might like to present him with are: 4428 Stealing a shared secret from one of the parties, being present on 4429 the very first session and every subsequent session to carry out an 4430 active MiTM attack, and solving the discrete log problem. We want to 4431 force the opponent to solve more than one of these problems to 4432 succeed. 4434 ZRTP can use different kinds of shared secrets. Each type of shared 4435 secret is determined by a different method. All of the shared 4436 secrets are hashed together to form a session key to encrypt the 4437 call. An attacker must defeat all of the methods in order to 4438 determine the session key. 4440 First, there is the shared secret determined entirely by a Diffie- 4441 Hellman key agreement. It changes with every call, based on random 4442 numbers. An attacker may attempt a classic DH MiTM attack on this 4443 secret, but we can protect against this by displaying and reading 4444 aloud an SAS, combined with adding a hash commitment at the beginning 4445 of the DH exchange. 4447 Second, there is an evolving shared secret, or ongoing shared secret 4448 that is automatically changed and refreshed and cached with every new 4449 session. We will call this the cached shared secret, or sometimes 4450 the retained shared secret. Each new image of this ongoing secret is 4451 a non-invertable function of its previous value and the new secret 4452 derived by the new DH agreement. It is possible that no cached 4453 shared secret is available, because there were no previous sessions 4454 to inherit this value from, or because one side loses its cache. 4456 There are other approaches for key agreement for SRTP that compute a 4457 shared secret using information in the signaling. For example, 4458 [RFC4567] describes how to carry a MIKEY (Multimedia Internet KEYing) 4459 [RFC3830] payload in SDP [RFC4566]. Or RFC 4568 (SDES) [RFC4568] 4460 describes directly carrying SRTP keying and configuration information 4461 in SDP. ZRTP does not rely on the signaling to compute a shared 4462 secret, but if a client does produce a shared secret via the 4463 signaling, and makes it available to the ZRTP protocol, ZRTP can make 4464 use of this shared secret to augment the list of shared secrets that 4465 will be hashed together to form a session key. This way, any 4466 security weaknesses that might compromise the shared secret 4467 contributed by the signaling will not harm the final resulting 4468 session key. 4470 The shared secret provided by the signaling (if available), the 4471 shared secret computed by DH, and the cached shared secret are all 4472 hashed together to compute the session key for a call. If the cached 4473 shared secret is not available, it is omitted from the hash 4474 computation. If the signaling provides no shared secret, it is also 4475 omitted from the hash computation. 4477 No DH MiTM attack can succeed if the ongoing shared secret is 4478 available to the two parties, but not to the attacker. This is 4479 because the attacker cannot compute a common session key with either 4480 party without knowing the cached secret component, even if he 4481 correctly executes a classic DH MiTM attack. 4483 If any new security considerations emerge later regarding the ZRTP 4484 protocol, they will be posted in [zrtp-addenda]. 4486 15.1. Self-healing Key Continuity Feature 4488 The key continuity features of ZRTP are analogous to those provided 4489 by SSH (Secure Shell) [RFC4251], but they differ in one respect. SSH 4490 caches public signature keys that never change, and uses a permanent 4491 private signature key that must be guarded from disclosure. If 4492 someone steals your SSH private signature key, they can impersonate 4493 you in all future sessions and mount a successful MiTM attack any 4494 time they want. 4496 ZRTP caches symmetric key material used to compute secret session 4497 keys, and these values change with each session. If someone steals 4498 your ZRTP shared secret cache, they only get one chance to mount a 4499 MiTM attack, in the very next session. If they miss that chance, the 4500 retained shared secret is refreshed with a new value, and the window 4501 of vulnerability heals itself, which means they are locked out of any 4502 future opportunities to mount a MiTM attack. This gives ZRTP a 4503 "self-healing" feature if any cached key material is compromised. 4505 A MiTM attacker must always be in the media path. This presents a 4506 significant operational burden for the attacker in many VoIP usage 4507 scenarios, because being in the media path for every call is often 4508 harder than being in the signaling path. This will likely create 4509 coverage gaps in the attacker's opportunities to mount a MiTM attack. 4510 ZRTP's self-healing key continuity features are better than SSH at 4511 exploiting any temporary gaps in MiTM attack coverage. Thus, ZRTP 4512 quickly recovers from any disclosure of cached key material. 4514 The infamous Debian OpenSSL weak key vulnerability [dsa-1571] 4515 (discovered and patched in May 2008) offers a real-world example of 4516 why ZRTP's self-healing scheme is a good way to do key continuity. 4517 The Debian bug resulted in the production of a lot of weak SSH (and 4518 TLS/SSL) keys, which continued to compromise security even after the 4519 bug had been patched. In contrast, ZRTP's key continuity scheme adds 4520 new entropy to the cached key material with every call, so old 4521 deficiencies in entropy are washed away with each new session. 4523 It should be noted that the addition of shared secret entropy from 4524 previous sessions can extend the strength of the new session key to 4525 AES-256 levels, even if the new session uses Diffie-Hellman keys no 4526 larger than DH-3072 or ECDH-256, provided the cached shared secrets 4527 were initially established when the wiretapper was not present. This 4528 is why AES-256 MAY be used with the smaller DH key sizes in 4529 Section 5.1.5, despite the key strength comparisons in Table 2 of 4530 [SP800-57-Part1]. 4532 Caching shared symmetric key material is also less CPU intensive 4533 compared with using digital signatures, which may be important for 4534 low-power mobile platforms. 4536 16. Implementaion Guidelines 4538 Suggestions for implementing the ZRTP protocol may be found in 4539 [zrtp-addenda]. 4541 17. Acknowledgments 4543 The authors would like to thank Bryce "Zooko" Wilcox-O'Hearn and 4544 Colin Plumb for their contributions to the design of this protocol, 4545 and to thank Hal Finney, Viktor Krikun, Werner Dittmann, Dan Wing, 4546 Sagar Pai, Lily Chen, David McGrew, Colin Perkins, Richard Harris, 4547 Roni Even, Jon Peterson, and Robert Sparks for their helpful comments 4548 and suggestions. 4550 The use of hash chains to key HMACs in ZRTP is similar to Adrian 4551 Perrig's TESLA protocol [TESLA]. 4553 18. References 4555 18.1. Normative References 4557 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 4558 Hashing for Message Authentication", RFC 2104, 4559 February 1997. 4561 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4562 Requirement Levels", BCP 14, RFC 2119, March 1997. 4564 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 4565 Diffie-Hellman groups for Internet Key Exchange (IKE)", 4566 RFC 3526, May 2003. 4568 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 4569 Jacobson, "RTP: A Transport Protocol for Real-Time 4570 Applications", STD 64, RFC 3550, July 2003. 4572 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 4573 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 4574 RFC 3711, March 2004. 4576 [RFC3713] Matsui, M., Nakajima, J., and S. Moriai, "A Description of 4577 the Camellia Encryption Algorithm", RFC 3713, April 2004. 4579 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 4580 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 4581 RFC 4231, December 2005. 4583 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 4584 Description Protocol", RFC 4566, July 2006. 4586 [RFC4753] Fu, D. and J. Solinas, "ECP Groups For IKE and IKEv2", 4587 RFC 4753, January 2007. 4589 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 4590 Thayer, "OpenPGP Message Format", RFC 4880, November 2007. 4592 [RFC4960] Stewart, R., "Stream Control Transmission Protocol", 4593 RFC 4960, September 2007. 4595 [RFC5479] Wing, D., Fries, S., Tschofenig, H., and F. Audet, 4596 "Requirements and Analysis of Media Security Management 4597 Protocols", RFC 5479, April 2009. 4599 [I-D.ietf-avt-srtp-big-aes] 4600 McGrew, D., "The use of AES-192 and AES-256 in Secure 4601 RTP", 4602 http://tools.ietf.org/html/draft-ietf-avt-srtp-big-aes . 4604 [I-D.jivsov-openpgp-ecc] 4605 Jivsov, A., "ECC in OpenPGP", 4606 http://tools.ietf.org/html/draft-jivsov-openpgp-ecc . 4608 [FIPS-140-2-Annex-A] 4609 "Annex A: Approved Security Functions for FIPS PUB 140-2", 4610 NIST FIPS PUB 140-2 Annex A October 2008. 4612 [FIPS-140-2-Annex-D] 4613 "Annex D: Approved Key Establishment Techniques for FIPS 4614 PUB 140-2", NIST FIPS PUB 140-2 Annex D January 2008. 4616 [FIPS-180-3] 4617 "Secure Hash Standard (SHS)", NIST FIPS PUB 180-3 October 4618 2008. 4620 [FIPS-186-3] 4621 "Digital Signature Standard (DSS)", NIST FIPS PUB 186- 4622 3 June 2009. 4624 [FIPS-197] 4625 "Advanced Encryption Standard (AES)", NIST FIPS PUB 4626 197 November 2001. 4628 [FIPS-198-1] 4629 "The Keyed-Hash Message Authentication Code (HMAC)", NIST 4630 FIPS PUB 198-1 July 2008. 4632 [SP800-38A] 4633 Dworkin, M., "Recommendation for Block Cipher Modes of 4634 Operation", NIST Special Publication 800-38A 2001 Edition. 4636 [SP800-56A] 4637 Barker, E., Johnson, D., and M. Smid, "Recommendation for 4638 Pair-Wise Key Establishment Schemes Using Discrete 4639 Logarithm Cryptography", NIST Special Publication 800- 4640 56A Revision 1, March 2007. 4642 [SP800-90] 4643 Barker, E. and J. Kelsey, "Recommendation for Random 4644 Number Generation Using Deterministic Random Bit 4645 Generators", NIST Special Publication 800-90 (Revised) 4646 March 2007. 4648 [SP800-108] 4649 Chen, L., "Recommendation for Key Derivation Using 4650 Pseudorandom Functions", NIST Special Publication 800- 4651 108 November 2008. 4653 [NSA-Suite-B] 4654 "NSA Suite B Cryptography", NSA Information Assurance 4655 Directorate NSA Suite B Cryptography. 4657 [NSA-Suite-B-Cert] 4658 "Suite B Base Certificate and CRL Profile", 4659 Suite B Base Certificate and CRL Profile 27 May 2008. 4661 [NSA-Suite-B-Guide-56A] 4662 "Suite B Implementer's Guide to NIST SP 800-56A", Suite B 4663 Implementer's Guide to NIST SP 800-56A 28 July 2009. 4665 [XEP-0262] 4666 Saint-Andre, P., "Use of ZRTP in Jingle RTP Sessions", XSF 4667 XEP 0262, February 2009. 4669 [TwoFish] Schneier, B., Kelsey, J., Whiting, D., Hall, C., and N. 4670 Ferguson, "Twofish: A 128-Bit Block Cipher", 4671 http://www.schneier.com/paper-twofish-paper.html . 4673 [pgpwordlist] 4674 "PGP Word List", 4675 http://philzimmermann.com/docs/PGP_word_list.pdf . 4677 18.2. Informative References 4679 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 4680 A., Peterson, J., Sparks, R., Handley, M., and E. 4681 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 4682 June 2002. 4684 [RFC3514] Bellovin, S., "The Security Flag in the IPv4 Header", 4685 RFC 3514, April 1 2003. 4687 [RFC3824] Peterson, J., Liu, H., Yu, J., and B. Campbell, "Using 4688 E.164 numbers with the Session Initiation Protocol (SIP)", 4689 RFC 3824, June 2004. 4691 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 4692 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 4693 August 2004. 4695 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 4696 Requirements for Security", BCP 106, RFC 4086, June 2005. 4698 [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 4699 Protocol Architecture", RFC 4251, January 2006. 4701 [RFC4474] Peterson, J. and C. Jennings, "Enhancements for 4702 Authenticated Identity Management in the Session 4703 Initiation Protocol (SIP)", RFC 4474, August 2006. 4705 [RFC4475] Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J., 4706 and H. Schulzrinne, "Session Initiation Protocol (SIP) 4707 Torture Test Messages", RFC 4475, May 2006. 4709 [RFC4567] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E. 4710 Carrara, "Key Management Extensions for Session 4711 Description Protocol (SDP) and Real Time Streaming 4712 Protocol (RTSP)", RFC 4567, July 2006. 4714 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session 4715 Description Protocol (SDP) Security Descriptions for Media 4716 Streams", RFC 4568, July 2006. 4718 [RFC4579] Johnston, A. and O. Levin, "Session Initiation Protocol 4719 (SIP) Call Control - Conferencing for User Agents", 4720 BCP 119, RFC 4579, August 2006. 4722 [I-D.ietf-mmusic-ice] 4723 Rosenberg, J., "Interactive Connectivity Establishment 4724 (ICE): A Protocol for Network Address Translator (NAT) 4725 Traversal for Offer/Answer Protocols", 4726 draft-ietf-mmusic-ice-19 (work in progress), October 2007. 4728 [I-D.ietf-avt-dtls-srtp] 4729 McGrew, D. and E. Rescorla, "Datagram Transport Layer 4730 Security (DTLS) Extension to Establish Keys for Secure 4731 Real-time Transport Protocol (SRTP)", 4732 draft-ietf-avt-dtls-srtp-07 (work in progress), 4733 February 2009. 4735 [I-D.wing-sip-identity-media] 4736 Wing, D. and H. Kaplan, "SIP Identity using Media Path", 4737 http://tools.ietf.org/html/draft-wing-sip-identity-media . 4739 [SP800-57-Part1] 4740 Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid, 4741 "Recommendation for Key Management - Part 1: General 4742 (Revised)", NIST Special Publication 800-57 - Part 4743 1 Revised March 2007. 4745 [SHA-3] "Cryptographic Hash Algorithm Competition", NIST Computer 4746 Security Resource Center Cryptographic Hash Project. 4748 [Ferguson] 4749 Ferguson, N. and B. Schneier, "Practical Cryptography", 4750 Wiley Publishing 2003. 4752 [Juola1] Juola, P. and P. Zimmermann, "Whole-Word Phonetic 4753 Distances and the PGPfone Alphabet", Proceedings of the 4754 International Conference of Spoken Language Processing 4755 (ICSLP-96) 1996. 4757 [Juola2] Juola, P., "Isolated Word Confusion Metrics and the 4758 PGPfone Alphabet", Proceedings of New Methods in Language 4759 Processing 1996. 4761 [pgpfone] Zimmermann, P., "PGPfone", 4762 http://philzimmermann.com/docs/pgpfone10b7.pdf . 4764 [zrtp-addenda] 4765 Zimmermann, P., "Addenda to ZRTP spec", 4766 http://philzimmermann.com/docs/zrtp_addenda.html . 4768 [zfone] Zimmermann, P., "Zfone", 4769 http://www.philzimmermann.com/zfone . 4771 [Byzantine] 4772 "The Two Generals' Problem", 4773 http://en.wikipedia.org/wiki/Two_Generals%27_Problem . 4775 [TESLA] Perrig, A., Canetti, R., Tygar, J., and D. Song, "The 4776 TESLA Broadcast Authentication Protocol", http:// 4777 www.ece.cmu.edu/~adrian/projects/tesla-cryptobytes/ 4778 tesla-cryptobytes.pdf . 4780 [z-base-32] 4781 Wilcox-O'Hearn, B., "Human-oriented base-32 encoding", htt 4782 p://philzimmermann.com/docs/ 4783 human-oriented-base-32-encoding.txt , November 2009. 4785 [comsec] Blossom, E., "The VP1 Protocol for Voice Privacy Devices 4786 Version 1.2", http://www.comsec.com/vp1-protocol.pdf . 4788 [cryptophone] 4789 "CryptoPhone", http://www.cryptophone.de/ . 4791 [Wright1] Wright, C., Ballard, L., Coull, S., Monrose, F., and G. 4792 Masson, "Spot me if you can: Uncovering spoken phrases in 4793 encrypted VoIP conversations", Proceedings of the 2008 4794 IEEE Symposium on Security and Privacy 2008. 4796 [dsa-1571] 4797 "Debian Security Advisory - OpenSSL predictable random 4798 number generator", 4799 http://www.debian.org/security/2008/dsa-1571 . 4801 Authors' Addresses 4803 Philip Zimmermann 4804 Zfone Project 4806 Email: prz@mit.edu 4808 Alan Johnston (editor) 4809 Avaya 4810 St. Louis, MO 63124 4812 Email: alan@sipstation.com 4814 Jon Callas 4815 PGP Corp. 4817 Email: jon@callas.org