Privacy Pioneer Promises Secure VOIP

The cryptographer who created the e-mail encryption software PGP is back with Zfone, a prototype intended to thwart VOIP eavesdroppers.

LAS VEGAS—Phil Zimmermann, the celebrated cryptographer who created PGP (Pretty Good Privacy) for e-mail encryption, is taking a shot at securing VOIP communications.

Zimmermann took the stage at the Black Hat Briefings here to show off Zfone, a prototype application that encrypts voice-over-IP calls to thwart man-in-the-middle eavesdroppers.

Using the open-source, cross-platform softphone Shtoom and the Diffie-Hellman key agreement protocol, Zimmermann has developed a session-based encryption tool that lets two users on a SIP (Session Initiation Protocol)-based VOIP connection verify each others identity to avoid snooping.

"I dont think I have to make the case too much as to why you need secure VOIP," Zimmermann said in a chat with reporters after his presentation. "As we move our phone calls from the relative safety of PSTN [public switched telephone networks], we will have to deal with the weaknesses and vulnerabilities associated with the Internet."

"Every day, I look at my server console, I see attempts to break in. Its nonstop. As our phone calls move from the PSTNs to the Internet, not to protect those calls seems like a very bad idea," he added.

Zimmermann is no stranger to securing voice communications. In the early 1990s, he created the PGPfone software package, which combined speech compression and cryptography protocols to secure voice calls. But the idea never took off, because, as Zimmermann explains it, "the Internet just wasnt ready for it."

"In those days, no one had broadband. SIP did not exist. I had to devise my own protocols to do Internet telephone, so PGPfone was created with improvised protocols," he said.

"Now, the Internet is ready for it," he said, citing the heady growth in VOIP communication technology. "There are some nice protocols today for supporting VOIP, and theres a big industry being built on these protocols. This prototype is much like PGPfone, but its brought up to date with the modern VOIP protocols."

/zimages/6/28571.gifRead more here about Phil Zimmermanns decision to sell his company and move on after creating the encrypted e-mail program PGP.

Zimmermann, who became the target of a criminal investigation after he released the PGP as freeware in 1991, is pounding the pavement in search of funding to make Zfone a commercial venture.

He has received bridge funding from VOIP pioneer Jeff Pulver and former White House terrorism advisor Richard Clarke, and some technical and business development help from PGP Corp., but the immediate plan is to score a round of venture capital investment to speed up development of Zfone for the wider market.

"I have talked to some investors and there is a significant amount of interest. We might see something very soon," Zimmermann said. He also said he would be happy with either a seed round in the range of $750,000 or a Series A round in the range of $5 million.

"There is a need for secure VOIP. I think I can do it better than anyone else. I have some reason to think the market will trust me," he said.

The Zfone prototype is a Mac-only application, but Zimmermann acknowledges that a Windows version would be ideal to make a commercial venture successful. He said he plans to publish a paper detailing the encryption protocol by the end of August and release the source code for Zfone for peer review.

/zimages/6/28571.gifClick here to read about Skypes VOIP software for Mac and Linux OS.

Zimmermann said he believes that approach will give his product a leg up on Skype, the popular peer-to-peer application. "Skype doesnt tell you how it works, so you dont know if the encryption works or not. Thats not a knock on Skype, but we just dont know a lot about it."

"When you use Skype, youre going through servers somewhere in Europe. Theyre using an encryption protocol thats not known or available. If you dont tell people what kind of encryption youre using, youre telling them to assume they are safe," he said.

Next Page: The dangers of unprotected VOIP.