Paper 2006/424

Security Analysis of Voice-over-IP Protocols

Prateek Gupta and Vitaly Shmatikov

Abstract

The transmission of voice communications as datagram packets over IP networks, commonly known as Voice-over-IP (VoIP) telephony, is rapidly gaining wide acceptance. With private phone conversations being conducted on insecure public networks, security of VoIP communications is increasingly important. We present a structured security analysis of the VoIP protocol stack, which consists of signaling (SIP), session description (SDP), key establishment (SDES, MIKEY, and ZRTP) and secure media transport (SRTP) protocols. Using a combination of manual and tool-supported formal analysis, we uncover several design flaws and attacks, most of which are caused by subtle inconsistencies between the assumptions that protocols at different layers of the VoIP stack make about each other. The most serious attack is a replay attack on SDES, which causes SRTP to repeat the keystream used for media encryption, thus completely breaking transport-layer security. We also demonstrate a man-in-the-middle attack on ZRTP, which allows the attacker to convince the communicating parties that they have lost their shared secret. If they are using VoIP devices without displays and thus cannot execute the ``human authentication'' procedure, they are forced to communicate insecurely, or not communicate at all, i.e., this becomes a denial of service attack. Finally, we show that the key derivation process used in MIKEY cannot be used to prove security of the derived key in the standard cryptographic model for secure key exchange.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. 20th IEEE Computer Security Foundations Symposium (CSF)
Keywords
cryptographic protocolsvoice-over-ip
Contact author(s)
shmat @ cs utexas edu
History
2007-04-30: revised
2006-11-19: received
See all versions
Short URL
https://ia.cr/2006/424
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2006/424,
      author = {Prateek Gupta and Vitaly Shmatikov},
      title = {Security Analysis of Voice-over-{IP} Protocols},
      howpublished = {Cryptology {ePrint} Archive, Paper 2006/424},
      year = {2006},
      url = {https://eprint.iacr.org/2006/424}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.