#262 Add support for ZRTP

[Anonymous]

Originally created by: wheresau...@lavabit.com
Originally owned by: r3gis...@gmail.com

Not a bug - enhancement

please add ZRTP support this allows for a more secure handling of handset to handset key exchanges.   Two linux softphones I know of built on pjsip allow SRTP and ZRTP, allow using them at the same time.

other pjsip implementations:
http://www.sflphone.org/
http://twinklephone.com/

[Anonymous]

Originally posted by: r3gis...@gmail.com

I'll update the issue when something more stable will be there. Unfortunately, for now no other way than subscribing the rss feed of code changes on the google code project to get updated of the nightlies build changes.

About the hang problem, did you try to reboot the phone? And make sure there is no pending registration. I know that pjsua has a possible dead lock when you get two simultaneous incoming sip calls (due to 2 registrations on the same server, that could be to a crash or a reinstall without unregister or due to what is explained in the FAQ entry about two simultaneous incoming calls -> if so the solution is explained in the FAQ).

If not due to that point, maybe could be interesting if you can describe me the scenario to reproduce so that I can have a look where it goes wrong.

[Anonymous]

Originally posted by: dothangb...@gmail.com

@r3gis.3R about comment 22,24:
Will my RTP streams still be encrypted? if i disable SRTP option when using ZRTP

[Anonymous]

Originally posted by: werner...@googlemail.com

@comment #29
Please refer to comment #24 - the "normal" SRTP must be disabled. This SRTP
uses key that are exchanged via SIP and thus require an end-to-end secure SIP
which is a very rare case - if at all possible in the current infrastructure.

ZRTP uses it's own key negotiation mechanism and switches on SRTP automatically
once the SRTP keys are available and checked.

Regards,
Werner

[Anonymous]

Originally posted by: nguyentr...@gmail.com

hi r3gis.3R,
This is great project, with TLS&ZRTP support!
Can you share source code (and lib) of TLS&ZRTP version?

thanks!

[Anonymous]

Originally posted by: dothangb...@gmail.com

@werer & r3gis.3R:
thanks mans. I have tested your zrtp implement and the result is perfect. I install TCPdump on my android phone to capture data (in & out). When i disable zrtp, i can use wireshark to replay voice call (from captured data) and when i enable zrtp, i only hear noise.

[Anonymous]

Originally posted by: werner...@googlemail.com

The whole code isavailable in csipsimple's repository, also ZRTP (and it's associated
SRTP code) for PJSIP is available at github: https://github.com/wernerd/ZRTP4PJ .
Other implementations are available in Java and are also in use.

GNU ZRTP C++ and GNU ZRTP4J are the implementations for C++ and Java. PJSIP's ZRTP
is the same as GNU ZRTP C++ only C wrappers added and a PJSIP driver.

Regards,
Werner

[Anonymous]

Originally posted by: josef.schneider

Can I suggest that it should be possible to have SRTP and ZRTP enabled?
You can not always influence what the other party uses. Of course only one can be used in each call, but amything is better than no encryption

[Anonymous]

Originally posted by: werner...@googlemail.com

Just for info regarding the status of ZRTP in general:
ZRTP is now an official IETF RFC: RFC 6189 -

Congratulations to Phil who did it again.

Regards,
Werner

[Anonymous]

Originally posted by: francisc...@gmail.com

Can't make zrtp work :(

In the current nightlies,  using g729  codec and activateed "Create ZRTP" in secure transport options but when i sniff a call with wireshark i can decode the content :(

Any tips?

[Anonymous]

Originally posted by: chhab...@gmail.com

Same here. Installed the latest nightly enabled ZRTP but somehow it seems not activiated. Do I mess something here?

[Anonymous]

Originally posted by: r3gis...@gmail.com

Thanks for the report, I'll have a look. I've maybe lost the alert popuo while refactoring ui.

[Anonymous]

Originally posted by: francisc...@gmail.com

please post updates here if you get the problem fixed :-)

also, it would be nice to have a stable release that has ZRTP

btw, great work with csipsimple :-)

[Anonymous]

Originally posted by: r3gis...@gmail.com

[r825] re-integrate ZRTP popup dialog to call screen.
It will be built tonight, let me know how it goes.

[Anonymous]

Originally posted by: francisc...@gmail.com

unfortunately, i have never seen the ZRTP popup dialog but i just tested [r825] and it's similar behavior to the previous nightlies.

although I haven't been able to sniff the traffic right now to check if it's encrypted, when I select "create ZRTP" it just does nothing and in-call there is no sign of ZRTP presence.

I'm going to try and sniff the traffic but I think the changes weren't effective as i supose i should see ZRTP related dialogs, even in the options, which i don't :(

Cheers

[Anonymous]

Originally posted by: miklosb...@gmail.com

can you tell me which was the last release with working zrtp? I want to wireshark it
Thanks

[Anonymous]

Originally posted by: r3gis...@gmail.com

[r829] should work (http://nightlies.csipsimple.com/tls/). At least I did a test yesterday and it was working.
Normally if both side supports ZRTP a popup should appear that allow you to confirm SAS.

For now there is no other visual feedback but it should be enough to give you feedback about the fact ZRTP is taken into account once you press ok on this popup.

Just additional note : do not hold the call else it will not work after retrieve. And do not multiple calls at the same time (no conference with ZRTP yet).

[Anonymous]

Originally posted by: miklosb...@gmail.com

I just tried it between a nexus s and a htc desire with the [r829], and I couldnt manage to get the popup. Im using a self configured asterisk server placed in a university network. As I know, for the zrtp theres no need to configure anything extra in the asterisk. Am I right?

Do you have any suggestion? For example can you give me some step-by-step guide to the setup that enables using it?(who knows probably I forgot to set something up)

[Anonymous]

Originally posted by: francisc...@gmail.com

I confirm that ZRTP is working now, I even sniffed in Wireshark to compare.

but I now have a weird issue that I'm not sure if it's csipsimple related.

i have 2 phones that are exactly the same, even the same firmware (from stock) and same customizations. On the network menu, one phone has the "Secure transport" submenu and the other one doesn't.

both of them have the [r829]-tls branch installed :-(

@miklos did you go to "Settings" -> "Network" -> "Secure Transport" -> "ZRTP Mode" -> select "Create ZRTP" and that should be enough.

[Anonymous]

Originally posted by: francisc...@gmail.com

I just found out the solution to my problem, if by some chance you don't see the "Secure Transport" option. try and configure a valid SIP account somewhere and when the account is "registered" on the sip server, that option on the menu WILL show up.

also, make sure SRTP is disabled.

build [r829]-tls worked fine.

ZRTP+G.729 works wonders :-) csipsimple rox!

[Anonymous]

Originally posted by: werner...@googlemail.com

@miklos

Be careful is Asterisk is somehow in the media communication (RTP) path. Most often
Asterisk modifies the RTP packets or even encodes/decodes them. ZRTP requires a
transparent end-to-end RTP connection, no intermediate system shall deal with the
RTP packet - only forward them.

Regards,
Werner

[Anonymous]

Originally posted by: jtaylor...@gmail.com

Tested ZRTP and it works, I didn't find any issue. But I have a question: can you change the "Settings" -> "Network" -> "Secure Transport" -> "ZRTP Mode" menu so that we can choose between "Disabled", "Optional" and "Mandatory"?

This would be nice 1) for consistency with the "SRTP Mode" and 2) because users can have mandatory encryption if they want it.

[Anonymous]

Originally posted by: r3gis...@gmail.com

Werner will correct me if I mistake, but my understand is the following :

ZRTP is somehow always optional cause it is based on RTP and send on RTP some hello to see if other part does accept that.

SRTP mechanism is different. There is mandatory SDP infos about the fact the call will be done using SRTP, while using ZRTP it's not mandatory.

I think that besides, when you use ZRTP process is not the same. You can just not talk at all if you see that the communication is being encrypted. I'm adding the little icon to inform that the call is encrypted, but if you don't get the popup it is a good indication about that already ;).

I think that the ZRTP options would more be something like 'Disabled', 'Optional', 'Only if remote announced in SDP'.
Cause 'mandatory' make not really sense cause there is always the beginning of the communication where the SAS has to be acknowledged when the call is done without ZRTP encryption.
The only way to provide mandatory would be to say : "mandatory for incoming only" and would also mean that remote side has to announce in SDP ZRTP support. Or we could cut the communication if ZRTP negociation fails... but since the user should be aware about that (my bad, not yet ;) ), not really hurting to leave user decide.

[Anonymous]

Originally posted by: nilsjan...@gmail.com

Hi regis,

i can't see the security settings under network any more. Did you change something? Are they gone, or is it just on my device (defy) for some reason?

[Anonymous]

Originally posted by: r3gis...@gmail.com

If you sure that you are using a tls version, the other reason for not having the setting is that the sip stack has never been started.
The setting only appear if pjsip has been loaded once to be able to know whether it has been built with tls support.
So you should first try to register and then go in settings.

[Anonymous]

Originally posted by: chhab...@gmail.com

ZRTP on [r836] nightly works brilliantly for me now! Thanks for fixing whatever bug there was. I'm running it on LeeDroid Gingerbread Rom V 3.0.6 (HTC Desire). You guys rock!