

Let's talk about ZRTP - zdw
http://blog.cryptographyengineering.com/2012/11/lets-talk-about-zrtp.html

======
SkyMarshal
For anyone else wondering for what ZRTP is the acronym, apparently it isn't
one. It is SRTP [1] with the S replaced with Z since it was developed by the
Zfone Project [2].

[1]: <http://duckduckgo.com/Secure_Real-time_Transport_Protocol>

[2]: <http://www.zfoneproject.com/>

[3]: ZRTP spec: <http://zfone.com/docs/ietf/rfc6189bis.html>

------
Dylan16807
Interesting overall. But I'm pretty sure that's not how the birthday paradox
works. You have to put all the ~random elements into the same pool so that
each one of your 2^16 values has 2^16 candidates to match against. This
handshaking is always one on one. I mean yes it's possible that the same SAS
will show up in completely unrelated calls but that won't help Eve.

~~~
RyanZAG
I think what he is saying is that we can get lucky in guessing the correct
hash even if we guessed the value wrong.

b can only be picked once, and we transmit g^b Attacker then needs to guess a
g^a that will cause hmac(g^ab) to match. So we might guess an incorrect g^a
that still manages to collide and give us the correct hmac.

This apparently close to doubles our chance of guessing correctly? Depending
on the properties of hmac this sounds reasonable, but still doesn't affect
security much, as he says - it would still be 1/2^{16} - not likely to happen.

------
shmerl
I'm still waiting for ZRTP to catch up in normal XMPP/Jingle clients like
Pidgin and etc. Somehow support for it is really lacking.

~~~
mtgx
Jitsi supports it, among other encryption protocols:

<https://jitsi.org/index.php/Main/Features>

~~~
shmerl
Yes, but it's still strongly lacking in most other clients to be useful.

