Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP

Zrtp is a protocol designed to set up a shared secret between two communication parties which is subsequently used to secure the media stream (i.e. the audio data) of a voip connection. it uses diffie-hellman (dh) key exchange to agree upon a session key, which is inherently vulnerable to active man-in-the-middle (mitm) attacks. therefore zrtp introduces some proven methods to detect such attacks. the most important measure is a so called short authentication string (sas). this is a set of characters that is derived essentially from the public values of the diffie-hellman key exchange and displayed to the end users for reading out and comparing over the phone. if the sas on the caller's and the callee's side match, there is a high probability that no mitm attack is going on. furthermore, zrtp offers a form of key continuity by caching key material from previous sessions for use in the next call. in order to prevent that a mitm can manipulate the diffie-hellman key exchange in such a way that both partners get the same sas although different shared keys were negotiated, zrtp uses hash commitment for the public dh value despite these measures a relay attack (also known as mafia fraud attack or chess grandmaster attack) is still possible. we present a practical implementation of such an attack and discuss its characteristics and limitations, and show that the attack works only in certain scenarios.