I'm not about reversing a key from a SAS.

As I understand the ZRTP features, the SAS is a sort of a hash calculated from a shared key (obtained with the DHE).

If hash size is small - a MiTM attacker can arrange the two keys (one for A-party, the other for B-party) so that their hashes will collide (i.e. SAS values will be equal despite the keys are indeed different).

Since you do not carry a part of a previous key material into a next session - the importance of the SAS is much greater.

Could you please provide an option to enable the "Base-256" SASs? (There is no need in Zimmermann's "PGP words", just a plain alpha-numeric string will do, i.e. "raw HEX")


But caching some key material to use with the next call is better!
A paranoid user may prearrange a 100%-secure SIP+ZRTP session (known to be MiTM-free) to initialize the key sequencer with intended second user and afterwards be much more assured of call privacy.

OK, forget it!
I've finally read the RFC 6189, the sasvalue is ALWAYS thirty two bits. The "Base-32/Base-256" just control the way how the SAS is displayed to a user.
And because the "base-32" uses the 20 MSBs of the sasvalue, it is (sixteen times) stronger than the "base-256" which uses only 16 MSBs.