World Library  
Flag as Inappropriate
Email this Article


Article Id: WHEBN0004422674
Reproduction Date:

Title: Zrtp  
Author: World Heritage Encyclopedia
Language: English
Subject: Zfone, Secure telephone, Jitsi, Voice over IP, Ring (software)
Collection: Cryptographic Protocols
Publisher: World Heritage Encyclopedia


ZRTP (composed of Z and Real-time Transport Protocol) is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over Internet Protocol (VoIP) phone telephony call based on the Real-time Transport Protocol. It uses Diffie–Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption. ZRTP was developed by Phil Zimmermann, with help from Bryce Wilcox-O'Hearn, Colin Plumb, Jon Callas and Alan Johnston and was submitted to the Internet Engineering Task Force (IETF) by Phil Zimmermann, Jon Callas and Alan Johnston on March 5, 2006[1] and published on April 11, 2011 as RFC 6189.


  • Overview 1
  • Authentication 2
    • SAS 2.1
    • Key continuity 2.2
  • Operating environment 3
  • Implementations 4
  • See also 5
  • References 6
  • External links 7


ZRTP ("Z" is a reference to its inventor Phil Zimmermann; "RTP" stands for Real-time Transport Protocol)[2] is described in the Internet Draft as a "key agreement protocol which performs Diffie–Hellman key exchange during call setup in-band in the Real-time Transport Protocol (RTP) media stream which has been established using some other signaling protocol such as Session Initiation Protocol (SIP). This generates a shared secret which is then used to generate keys and salt for a Secure RTP (SRTP) session." One of ZRTP's features is that it does not rely on SIP signaling for the key management, or on any servers at all. It supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.

This protocol does not require prior shared secrets or rely on a Public key infrastructure (PKI) or on certification authorities, in fact ephemeral Diffie–Hellman keys are generated on each session establishment: this allows the complexity of creating and maintaining a trusted third-party to be bypassed.

These keys contribute to the generation of the session secret, from which the session key and parameters for SRTP sessions are derived, along with previously shared secrets (if any): this gives protection against man-in-the-middle (MiTM) attacks, so long as the attacker was not present in the first session between the two endpoints.

ZRTP can be used with any signaling protocol, including SIP, H.323, Jingle, and distributed hash table systems. ZRTP is independent of the signaling layer, because all its key negotiations occur via the RTP media stream.

ZRTP/S, a ZRTP protocol extension, can run on any kind of legacy telephony networks including GSM, UMTS, ISDN, PSTN, SATCOM, UHF/VHF radio, because it is a narrow-band bitstream-oriented protocol and performs all key negotiations inside the bitstream between two endpoints.

Alan Johnston named the protocol ZRTP because in its earliest Internet drafts[1] it was based on adding header extensions to RTP packets, which made ZRTP a variant of RTP. In later drafts the packet format changed to make it syntactically distinguishable from RTP. In view of that change, ZRTP is now a pseudo-acronym.



The Diffie–Hellman key exchange by itself does not provide protection against a man-in-the-middle attack. To ensure that the attacker is indeed not present in the first session (when no shared secrets exist), the Short Authentication String (SAS) method is used: the communicating parties verbally cross-check a shared value displayed at both endpoints. If the values do not match, a man-in-the-middle attack is indicated. (In late 2006 the US NSA developed an experimental voice analysis and synthesis system to defeat this protection,[3] but this class of attack is not believed to be a serious risk to the protocol's security.[1]) The SAS is used to authenticate the key exchange, which is essentially a cryptographic hash of the two Diffie–Hellman values. The SAS value is rendered to both ZRTP endpoints. To carry out authentication, this SAS value is read aloud to the communication partner over the voice connection. If the values on both ends do not match, a man-in-middle attack is indicated; if they do match, a man-in-the-middle attack is highly unlikely. The use of hash commitment in the DH exchange constrains the attacker to only one guess to generate the correct SAS in the attack, which means the SAS may be quite short. A 16-bit SAS, for example, provides the attacker only one chance out of 65536 of not being detected.

Key continuity

ZRTP provides a second layer of authentication against a MitM attack, based on a form of key continuity. It does this by caching some hashed key information for use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. If the MitM is not present in the first call, he is locked out of subsequent calls. Thus, even if the SAS is never used, most MitM attacks are stopped because the MitM was not present in the first call.

Operating environment


ZRTP has been implemented as

Commercial implementations of ZRTP are available in RokaCom from RokaCom,[9] and PrivateGSM from PrivateWave[10] and more recently in Silent Phone from Silent Circle, a company founded by Phil Zimmermann.[11] Draytek support ZRTP in some of their VoIP hardware and software.[12][13]

See also


  1. ^ a b c Zimmermann, Phil (2010-06-17). "Internet-Draft. ZRTP: Media Path Key Agreement for Unicast Secure RTP". Retrieved 2010-06-17. 
  2. ^ Alan B. Johnston's Blog: ZRTP Published Today as RFC 6189. Retrieved 2013-01-13
  3. ^ Cryptologic Quarterly, Volume 26, Number 4
  4. ^ "Gnu Zrtp". 2013-09-09. Retrieved 2014-06-07. 
  5. ^ "GNU ZRTP4J". Retrieved 2014-06-07. 
  6. ^ README. "ortp". Retrieved 2014-06-07. 
  7. ^ "oRTP, a Real-time Transport Protocol (RTP,RFC3550) library | Linphone, an open-source video sip phone". Retrieved 2014-06-07. 
  8. ^ "libzrtp". Retrieved 2014-06-07. 
  9. ^ "RokaCom". RokaCom. 2014-11-29. 
  10. ^ "PrivateWave". PrivateWave. 1999-02-22. Retrieved 2014-06-07. 
  11. ^ Join us for a Live Webinar. "Silent Circle". Silent Circle. Retrieved 2014-06-07. 
  12. ^ "Specification of Draytek 2820Vn ADSL modem/router/switch". 2013-08-13. Retrieved 2014-06-07. 
  13. ^ "Draytek Softphone (software) description". Retrieved 2014-06-07. 

External links

  • The Zfone Project — ZRTP Specification and reference ZRTP protocol implementation in C
  • ZORG — opensource ZRTP protocol implementation in c++ and Java optimized for mobile phones under GNU Affero General Public License integrated with PJSIP and MJSIP telephony framework
  • RFC 6189 — ZRTP: Media Path Key Agreement for Unicast Secure RTP
  • GNU ZRTP — Open Source ZRTP protocol implementation in C++ and Java under GNU General Public License integrated with GNU TELEPHONY framework
  • Open ZRTP — Open Source ZRTP protocol implementation in C++ under GNU Lesser General Public License integrated with PJSIP framework, maintained by iCall
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.