The most serious attack is a replay attack on SDES, which causes SRTP to repeat the keystream used for media encryption, thus completely breaking transport-layer security. We also demonstrate a man-in-the-middle attack on ZRTP, which allows the attacker to convince the communicating parties that they have lost their shared secret. If they are using VoIP devices without displays and thus cannot execute the ``human authentication'' procedure, they are forced to communicate insecurely, or not communicate at all, i.e., this becomes a denial of service attack. Finally, we show that the key derivation process used in MIKEY cannot be used to prove security of the derived key in the standard cryptographic model for secure key exchange.
Category / Keywords: cryptographic protocols, voice-over-ip Publication Info: 20th IEEE Computer Security Foundations Symposium (CSF) Date: received 16 Nov 2006, last revised 30 Apr 2007 Contact author: shmat at cs utexas edu Available format(s): PDF | BibTeX Citation Version: 20070430:133916 (All versions of this report) Short URL: ia.cr/2006/424 Discussion forum: Show discussion | Start new discussion