文章基本信息

标题：Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP
作者：Martin Petraschek ; Thomas Hoeher ; Oliver Jung 等
期刊名称：Journal of Universal Computer Science
印刷版ISSN：0948-6968
出版年度：2008
卷号：14
期号：5
页码：673-692
出版社：Graz University of Technology and Know-Center
摘要：ZRTP is a protocol designed to set up a shared secret between two communication parties which is subsequently used to secure the media stream (i.e. the audio data) of a VoIP connection. It uses Diffie-Hellman (DH) key exchange to agree upon a session key, which is inherently vulnerable to active Man-in-the-Middle (MitM) attacks. Therefore ZRTP introduces some proven methods to detect such attacks. The most important measure is a so called Short Authentication String (SAS). This is a set of characters that is derived essentially from the public values of the Diffie-Hellman key exchange and displayed to the end users for reading out and comparing over the phone. If the SAS on the caller's and the callee's side match, there is a high probability that no MitM attack is going on. Furthermore, ZRTP offers a form of key continuity by caching key material from previous sessions for use in the next call. In order to prevent that a MitM can manipulate the Diffie-Hellman key exchange in such a way that both partners get the same SAS although different shared keys were negotiated, ZRTP uses hash commitment for the public DH value.

Despite these measures a Relay Attack (also known as Mafia Fraud Attack or Chess Grandmaster Attack) is still possible. We present a practical implementation of such an attack and discuss its characteristics and limitations, and show that the attack works only in certain scenarios.