Poster: Handsfree ZRTP - A Novel Key Agreement for RTP, Protected by Voice Commitments

Recently, several mobile applications were released that claim to provide secure Voice-over-IP communications. Most of these, e.g., Redphone by Open WhisperSystems or Silent Phone by Silent Circle, are utilizing ZRTP [4] to establish session keys for end-to-end security. ZRTP was designed to achieve key exchange without trusted third parties or certificate infrastructure, while providing a way to protect against Man-in-the-Middle (MitM) attacks. The basic idea is that the caller and callee can verify that no MitM attacker is present by recognizing the voice of the peer, while comparing Short Authentication Strings (SAS). We rethink ZRTP’s concept of voice recognition by utilising audio fingerprinting to replace the manual comparison of SAS. This enables the use of devices without displays and hands-free equipment. It provides end-to-end secure communications in cars, while the driver focuses on the street. We discuss shortcomings of ZRTP, present our novel authentication protocol and discuss results from a case study on utilising audio fingerprints to establish a common secret via a remote connection. With this poster, we aim at gathering feedback and discussing attack scenarios, before implementing a prototype. ZRTP extends Diffie-Hellman (DH) key agreement by protection against MitM. It forces the callee to release a 256 bit hash hB of the DH public part yB in advance of exchanging the public parts yA, yB themselves. Due to this hash commitment, an attacker can only guess once with a chance of 1:65536 by using 16 bit SAS [4]. The actual protection against MitM attacks is done by reading the SAS (generated from a combination of hB , yA, and yB) aloud, while the peer has to compare the heard SAS with a displayed one and simultaneously recognise the voice of the caller. For ease of use and pronunciation SAS are words in modern ZRTP implementations. An analogous verification can protect against sophisticated replay attacks, where an attacker impersonates one peer and calls in its name. In this case, the attacker has to use actual recorded speech to conduct a conversation, which is hard to perform unnoticed. Mutual authentication protects against impersonation as it also forces the attacker to read the SAS (or a part of it) aloud, which is tied to this specific key exchange by hash commitment [2].