LAS VEGAS—Phil Zimmermann, the celebrated cryptographer who created PGP (Pretty Good Privacy) for e-mail encryption, is taking a shot at securing VOIP communications.
Zimmermann took the stage at the Black Hat Briefings here to show off Zfone, a prototype application that encrypts voice-over-IP calls to thwart man-in-the-middle eavesdroppers.
Using the open-source, cross-platform softphone Shtoom and the Diffie-Hellman key agreement protocol, Zimmermann has developed a session-based encryption tool that lets two users on a SIP (Session Initiation Protocol)-based VOIP connection verify each others identity to avoid snooping.
“I dont think I have to make the case too much as to why you need secure VOIP,” Zimmermann said in a chat with reporters after his presentation. “As we move our phone calls from the relative safety of PSTN [public switched telephone networks], we will have to deal with the weaknesses and vulnerabilities associated with the Internet.”
“Every day, I look at my server console, I see attempts to break in. Its nonstop. As our phone calls move from the PSTNs to the Internet, not to protect those calls seems like a very bad idea,” he added.
Zimmermann is no stranger to securing voice communications. In the early 1990s, he created the PGPfone software package, which combined speech compression and cryptography protocols to secure voice calls. But the idea never took off, because, as Zimmermann explains it, “the Internet just wasnt ready for it.”
“In those days, no one had broadband. SIP did not exist. I had to devise my own protocols to do Internet telephone, so PGPfone was created with improvised protocols,” he said.
“Now, the Internet is ready for it,” he said, citing the heady growth in VOIP communication technology. “There are some nice protocols today for supporting VOIP, and theres a big industry being built on these protocols. This prototype is much like PGPfone, but its brought up to date with the modern VOIP protocols.”
Zimmermann, who became the target of a criminal investigation after he released the PGP as freeware in 1991, is pounding the pavement in search of funding to make Zfone a commercial venture.
He has received bridge funding from VOIP pioneer Jeff Pulver and former White House terrorism advisor Richard Clarke, and some technical and business development help from PGP Corp., but the immediate plan is to score a round of venture capital investment to speed up development of Zfone for the wider market.
“I have talked to some investors and there is a significant amount of interest. We might see something very soon,” Zimmermann said. He also said he would be happy with either a seed round in the range of $750,000 or a Series A round in the range of $5 million.
“There is a need for secure VOIP. I think I can do it better than anyone else. I have some reason to think the market will trust me,” he said.
The Zfone prototype is a Mac-only application, but Zimmermann acknowledges that a Windows version would be ideal to make a commercial venture successful. He said he plans to publish a paper detailing the encryption protocol by the end of August and release the source code for Zfone for peer review.
Zimmermann said he believes that approach will give his product a leg up on Skype, the popular peer-to-peer application. “Skype doesnt tell you how it works, so you dont know if the encryption works or not. Thats not a knock on Skype, but we just dont know a lot about it.”
“When you use Skype, youre going through servers somewhere in Europe. Theyre using an encryption protocol thats not known or available. If you dont tell people what kind of encryption youre using, youre telling them to assume they are safe,” he said.
Next Page: The dangers of unprotected VOIP.
Dangers of Unprotected VOIP
Asked what target market Zfone is aimed at, Zimmermann said, “There are a couple of different approaches Im looking at. There are the companies that make the VOIP phones … we would like to form relationships with those companies to put our stuff in their firmware.”
Zimmermann spent a lot of time at the Black Hat conference pitching the product, answering probing questions from the audience and explaining the decision to avoid the “complexities” of PKI [public key infrastructure] cryptography.
“Years ago, people stumbled into e-mail without thinking about protecting the privacy. Thats where PGP came from. I think the average user who had enjoyed the safety of PSTN for all these years is going to get a rude awakening when they discover how bad things can be on the Internet,” he said.
He dismissed a suggestion from research firm Gartner Inc. that the VOIP threat was overblown, saying, “The Internet is a terribly hostile environment. If you attach a computer to the Internet without a firewall, it becomes infected within a few minutes. What used to be attacks from kids fooling around is now organized crime. Today, its these giant botnets doing all kinds of sophisticated attacks.
“There is a genuine need for voice encryption. There are programs today that record all VOIP phone calls, organize them, save them as MP3 files. There are snooping programs for eavesdropping out there. It is possible to intercept a VOIP call, and, for businesses, encrypting those calls is going to be important.”
With Zfone, Zimmermann said he believes he has a “relatively simple, understandable protocol” that does not require huge infrastructure investment. “It works. The crypto is solid. I can use it to make calls to any SIP client and it works pretty well.”
Check out eWEEK.coms for the latest news, views and analysis on voice over IP and telephony.