Hello, > Do you plan to implement ZRTP for calls?
With SRTP, the encryption keys are exchanged on the signaling layer (in our case using the SIP protocol). This can be an issue when using SIP servers, because those SIP servers can then see the encryption keys, breaking end-to-end encryption. To solve this issue, ZRTP negotiates encryption keys on the RTP transport itself using DH key negotiation. This brings new issues like authentication (solved in ZRTP by having peers to read keywords - the SAS - and recognize each other voice). After key negotiation, ZRTP basically uses SRTP to encrypt RTP packets. When using Ring accounts, identified by their public key, SIP packets are always transmitted on an encrypted and authenticated peer to peer TLS connection, making the SIP layer a safe place to exchange keys ; using ZRTP would not increase security or privacy ; it may even weaken authentication. For this reason Ring uses SRTP and not ZRTP, and we currently don't have plans to add support for it. However Ring still also supports plain old SIP accounts, so having ZRTP would be useful in those cases - we would be open to a pull request adding ZRTP support for SIP accounts. > Do you think OTR would make sense for chat/text messages? Yes, but it depends on the kind of text messages: * Text messages sent during a call will use the existing SIP/TLS transport. In that case forward secrecy can be currently achieved at the TLS level (FS is not enforced yet but WIP). * Out-of-call text messages are exchanged encrypted on the DHT, currently using classic RSA encryption. In that case OTR or Ratchet would indeed be useful. How to do it the right way is still an open question, but we definitely plan to support that. Related suggestions and pull requests are welcome. Regards, Adrien From: "Łukasz Stelmach" <steel...@post.pl> To: "ring" <ring@lists.savoirfairelinux.net> Sent: Monday, February 1, 2016 5:16:00 AM Subject: Re: [Ring] Comments on Ring Dnia 1 luty 2016 o 08:26 Łukasz Stelmach <steel...@post.pl> napisał(a): > Dear Developers, [...] > Crypto "questions" I have found in Ring. Do you plan to implement ZRTP[1] for calls? Do you think OTR[2] would make sense for chat/text messages? [1] https://en.wikipedia.org/wiki/ZRTP [2] https://en.wikipedia.org/wiki/Off-the-Record_Messaging Kind regards, -- Miłego dnia, Łukasz Stelmach _______________________________________________ Ring mailing list Ring@lists.savoirfairelinux.net https://lists.savoirfairelinux.net/mailman/listinfo/ring
_______________________________________________ Ring mailing list Ring@lists.savoirfairelinux.net https://lists.savoirfairelinux.net/mailman/listinfo/ring
