Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP

ZRTP is a protocol designed to set up a shared secret between two communication parties which is subsequently used to secure the media stream (i.e. the audio data) of a VoIP connection. It uses Diffie-Hellman (DH) key exchange to agree upon a session key, which is inherently vulnerable to active Man-in-the-Middle (MitM) attacks. Therefore ZRTP introduces some proven methods to detect such attacks. The most important measure is a so called Short Authentication String (SAS). This is a set of characters that is derived essentially from the public values of the Diffie-Hellman key exchange and displayed to the end users for reading out and comparing over the phone. If the SAS on the caller's and the callee's side match, there is a high probability that no MitM attack is going on. Furthermore, ZRTP offers a form of key continuity by caching key material from previous sessions for use in the next call. In order to prevent that a MitM can manipulate the Diffie-Hellman key exchange in such a way that both partners get the same SAS although different shared keys were negotiated, ZRTP uses hash commitment for the public DH value. Despite these measures a Relay Attack (also known as Mafia Fraud Attack or Chess Grandmaster Attack) is still possible. We present a practical implementation of such an attack and discuss its characteristics and limitations, and show that the attack works only in certain scenarios

Enhancing ZRTP by using Computational Puzzles

In this paper we present and discuss a new approach for securing multimedia communication, which is based on three innovations. The first innovation is the integration of a challenge-response scheme for enhancing the Diffie-Hellman based ZRTP protocol. When being called, a callee must present the result of a computational puzzle (a "token") within a short amount of time. A Man-in-the-Middle (MitM) would not be able to compute such a token within the required time, and thus fail to get into the media path. The scheme works best in situations when ZRTP is most vulnerable to so-called Mafia Attacks, i.e., if both caller and callee do not know each other. The second innovation complements the first one on those occasions where the above scheme may fail. The call is delayed for a certain amount of time which depends on the agreed session key. Since during a MitM attack two different keys (and thus waiting times) exist, caller and callee would not start their call at the same time and the MitM attack would fail. The third innovation is in the definition of a new computational puzzle which forms the basis of the challenge-response scheme. We propose a computational puzzle which is based on computing selected eigenvectors of real symmetric matrices. In contrast to existing puzzles, the one we propose does not rely on a shared secret, can be validated quickly, and existing solution methods exhibit limited scalability so that the threat from attacks based on massively parallel computing resources can be controlled