Jump to content

ZRTP Encryption


rmoura

Recommended Posts

Hello All,

 

 

I've seen only one topic that mentions ZRTP here. As we know, ZRTP should improve security over the currently used TLS + RTP Encryption scenario. I've seen on the M9 Blog ( Link to Snom M9 Blog ) that there was a test with the M9 and ZRTP, but it seems that this feature was not released into a production supported firmware.

 

Since the need for security is high and the current scenario, above mentioned, is not optimal, I would like to know if there REALLY is a firmware version that would make ANY kind of Snom device ZRTP compatible and whether SnomOne would be capable of dealing with this setup. In the case that there is, I would be interested in testing it even if it's unsupported.

 

Otherwise, how can we mitigate the privacy risks associated with this scenario ?

 

Tks.

Link to comment
Share on other sites

Well, first of all ZRTP also does not solve all problems. I don't think that ZRTP automatically improves security over TLS + SRTP (ZRTP actually also uses SRTP).

 

Okay, it does not have the centralized approach like PKI; so that users don't have to worry that someone stole the private key of on of the big Root CA or trusted intermediates. But if you have a closed user group, you can also set up your own PKI with no intermediates and then it all depends on you.

 

But ZRTP needs to establish a trust relationship with each and everyone. Especially for people who have a lot of initial contacts (cold contacts) have to trust the other side the first time, always. And the mutual authentication is not trivial either. Reading out numbers involved the users, which IMHO is annoying. In embedded devices, the space is not endless, so there will be records that are being dropped; the relationship needs to be re-negotiated Also, because the hashes are stored in the devices, they are usually much less protected than Fort-Knox like the snom m9. At the end of the day, the snom m9 is also only protected with the password that you choose. What would it mean is someone can get access to one device? Not being the biggest expert here, but it would mean that the credentials on that device can be used for all devices that this one has ever talked to. In some cases the decentralized approach can be a disadvantage compared to the centralized approach: You have to protect a lot of simple devices, compared to protecting one Root CA instance.

 

Of course the other topic is if ZRTP can be seen as mainstream. As far as I can tell, TLS is still very much mainstream today. If TLS 1.0 or 1.1 is frightening people, IMHO it would be better to focus on getting TLS 1.2 done instead of completely changing the approach.

 

In the PBX, a lot of information is written to the file system, including private keys. But when someone has file system access, that person can pretty much do anything with the PBX anyway. You must make sure that only authorized people have access. ZRTP does not change that.

 

Not being the biggest security in the world, I would rather set up my own PKI and do a lot so that the private key of the Root CA will not leak out. Then you should be in a very good shape. Also keep in mind that if someone wants to wiretap you, they can also use other mechanisms like laser and bugs which operate independently from the whole SRTP stuff. And don't forget that DECT broadcasts the traffic anyway...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...