linphone-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linphone-developers] Integrating ZRTP protocol into LINphone

From: Simon Morlat
Subject: Re: [Linphone-developers] Integrating ZRTP protocol into LINphone
Date: Mon, 26 Jan 2009 22:09:20 +0100
User-agent: KMail/1.9.9 
Interesting debate. But keep cool.

From what I understand about zrtp, it is interesting because it offers a 
secure method for key exchange without the need for SIP/TLS (which is 
required for a " just SRTP " solution).
zrtp is not an alternative to srtp, but a complementary layer that simplifies 
and secures key exchange.
I had a look at libzrtp implementation (downloaded from zphoneproject.com, no 
need to contact Phill directly).
It looks very simple to use and easy to integrate.
Of course I desire the maximum security for all users. Security is on my TODO 
list. libzrtp looks a quicker candidate than srtp for bringing security in 
linphone's voice & video streams.
However I can't tell you when linphone will have srtp/zrtp stuff integrated; 
simply because I have some hot items to work on that are already planned for 
a long time.
Also, I created recently my company "Belledonne Communications" to execute 
paid jobs about linphone: this is the way to get things prioritized as you 
want and get results promptly. Several companies already proceeded this way, 
and thanks to that we have now H264 and a pretty good windows interface.
And thanks to them I could ask my employer a part time job starting march 1st 
so that I will be able to dedicate more time to this open source project in 
the future.
Ok, if you are not a company nor have commercial interest in getting the 
feature soon, you'll have to wait a bit.

Thank you for learning me about zrtp.

Simon



Le Sunday 25 January 2009 13:07:31 Earl, vous avez écrit :
> On Sat, 24 Jan 2009, Earl wrote:
> > I am thinking about open-source standards, which Zphone is ( IETF ).
> > It is the only protocol that I know of that can resist
> > man-in-the-middle attacks.
>
> Hmm, please post a link for the ZRTP RFC, I can't find it...
>
> Doing a Google search for the words:  zrtp ietf
> gives *357 000 results
>
> I quote:
> *
>
>
>       Here's what we last submitted to the IETF
>
> The ZRTP Internet Draft as last submitted on the IETF web site:
>
>     * *http://tools.ietf.org/html/draft-zimmermann-avt-zrtp*
>       This link also contains older obsolete drafts that can be
>       individually selected at the top of the page, and colorful tools
>       to review the changes between drafts.
>
> On our own web site, the submitted draft is also available:
>
>     * *HTML*
>      
> <http://www.zfoneproject.org/docs/ietf/draft-zimmermann-avt-zrtp.html> -
> Nicely formatted and easier to read than the format used on the IETF web
> site.
>
> The ZRTP draft is still undergoing changes, the last only 10 days ago.
> It may not yet have a RFC, don't know.
> =================
>
> > I believe the SRTP standard says very clearly in it that SRTP offers
> > zero security.
>
> What are you talking about??? SRTP does not get into key exchange, that
> is for other protocols to deal with. Even draft-zimmermann-avt-zrtp-12
> runs over SRTP!!!   Nathan Stratton
>
> That is exactly what I said in my last email:
> "Actually Zphone uses SRTP, but in a secure fashion.
> SSL/TLS does not warn you that there is a MITM, Zphone can
> warn you. "
>
> You said:
> "May want to think about standards based SRTP rather
> then the Zphone stuff... "
> But now you say ZRTP uses standards based SRTP.
>
> It is clear that SRTP can provide zero security, since SRTP
> has no secure way to exchange keys.
>
> Other protocols must be used for key exchange, but the
> big problem is that no known public key exchange can
> resist the MITM.
>
> For this reason, ZRTP uses a verbal SAS exchange, since
> its Diffie-Hellman key exchange can also be trivially
> broken just like all others, including SSL/TLS.
>
> The very fact that a verbal SAS exchange can discover
> the MITM existence will discourage this listening, since
> MITM do not like to be exposed.  This verbal SAS exchange
> makes ZRTP the "gold standard" for voice and video
> security.
>
> Nathan, if you would take the time to read about ZRTP, you
> would understand why it is fast becoming a de-facto security
> standard for RTP.  The Linux SIP program TWINKLE is using
> it internally, rather than an external Zphone.  SIP-
> Communicator has also internally integrated it into its code.
> At the FOSDEM in Brussels (7-8 février /2009/) there should
> be an interop demo between TWINKLE and SIP-COMMUNICATOR
> both using internal ZRTP protocol.
>
> Simon, I started this thread asking you to assure the correct
> functioning of the external Zphone program.
> I would now like to politely ask you to please contact Phil
> Zimmermann and tell him that you wish to integrate the ZRTP
> protocol into the LINphone code.  Phil could allow you
> confidential access to the latest ZRTP builds thereby
> permitting LINphone betas to have the latest ZRTP build and
> code.  Phil has a good relationship with a number of open
> source developers.
>
> Simon, I am assuming that you desire to have excellent security
> for voice and video integrated into LINphone.  If not, I am
> on a faux piste.
>
> Regards, Earl
>
>
>
>
>
>
>
>
> _______________________________________________
> Linphone-developers mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/linphone-developers
reply via email to
[Prev in Thread] Current Thread [Next in Thread]