It's real because the Internet is rife with sophisticated attacks from organized crime. In fact, it's been said that an unprotected Windows PC can be taken over by hostile software within 12 minutes of being connected to the Internet. Our phone calls have enjoyed a paradise of security for a century on the Public Switched Telephone Network, but all that will change when we cast them out of that paradise into the inferno of the Internet. Can you describe the types of threats you're referring to?
Malware exists that will record all the VoIP calls on a network and organize them into browsable files like a TiVo player. We can have our calls subject to point-and-click wiretaps from criminals around the world. Maybe that sounds overblown, but if I were to describe the current Internet threat environment to an Internet user from about five to seven years ago, he would think such a prediction was overblown. How does Zfone keep voice communications secure?
Zfone encrypts the call end-to-end by using the Diffie-Hellman key exchange to set up a session key and then the Advanced Encryption Standard (AES) to encrypt the voice packets. Two users can check for a man-in-the-middle attack by comparing an authentication digest without depending on a public key infrastructure (PKI).
The design is more secure, simpler, more appropriate and more elegant than other protocols under consideration by Internet Engineering Task Force working groups. With Zfone, no centrally managed PKI or trusted servers are needed, and no persistent key material can be used to retroactively compromise the call. There are other secure VoIP protocols currently being discussed in standards bodies, but they all suffer from these problems that Zfone avoids. What's the probability Zfone's security and adoption will be on the level of PGP?
I designed the security to be as good as PGP. When PGP came out in the early 1990s, there was another e-mail encryption standard at the time, PEM (Privacy Enhanced Mail), and it suffered from a similar design philosophy as the other secure VoIP standards under consideration today. PEM relied on a centrally managed PKI, which has proven to be unworkable. PGP succeeded where PEM failed. I'm hoping the same thing will happen again, for the same reasons. You've said before that you think you can secure voice communication better than anyone else. Why?
For the reasons given above. Plus, I'm hoping the trust I've earned with PGP will help speed adoption. When will Zfone likely be available?
For the real product, that depends on funding. For the prototype, I may be able to post it on a Web site by the end of August for people to play with.