| QUESTION & ANSWER |
VoIP security, PGP style |
 |
By Amy Storer, News Writer
09 Aug 2005 | SearchEnterpriseVoice.com |
|
|
Phil Zimmermann, cryptographer and creator of the popular Pretty Good Privacy (PGP) e-mail encryption program, is addressing what he deems a genuine need for IP voice encryption.
Zimmermann last week unveiled Zfone, a prototype VoIP encryption application designed to prevent eavesdropping, and is now looking for investors to expedite Zfone development for enterprise usage.
He spoke with SearchEnterpriseVoice.com about the new VoIP encryption software, why his phone privacy protocol could trump all others, and ultimately, why enterprises should pay attention.
Is the VoIP security threat real or overblown?
Phil Zimmermann: It's real because the Internet is rife with sophisticated attacks from organized crime. In fact, it's been said that an unprotected Windows PC can be taken over by hostile software within 12 minutes of being connected to the Internet. Our phone calls have enjoyed a paradise of security for a century on the Public Switched Telephone Network, but all that will change when we cast them out of that paradise into the inferno of the Internet.
Can you describe the types of threats you're referring to?
Zimmermann: Malware exists that will record all the VoIP calls on a network and organize them into browsable files like a TiVo player. We can have our calls subject to point-and-click wiretaps from criminals around the world. Maybe that sounds overblown, but if I were to describe the current Internet threat environment to an Internet user from about five to seven years ago, he would think such a prediction was overblown.
How does Zfone keep voice communications secure?
Zimmermann: Zfone encrypts the call end-to-end by using the Diffie-Hellman key exchange to set up a session key and then the Advanced Encryption Standard (AES) to encrypt the voice packets. Two users can check for a man-in-the-middle attack by comparing an authentication digest without depending on a public key infrastructure (PKI).
How is Zfone different from other VoIP security protocols currently being considered?
Zimmermann: The design is more secure, simpler, more appropriate and more elegant than other protocols under consideration by Internet Engineering Task Force working groups. With Zfone, no centrally managed PKI or trusted servers are needed, and no persistent key material can be used to retroactively compromise the call. There are other secure VoIP protocols currently being discussed in standards bodies, but they all suffer from these problems that Zfone avoids.
What's the probability Zfone's security and adoption will be on the level of PGP?
Zimmermann: I designed the security to be as good as PGP. When PGP came out in the early 1990s, there was another e-mail encryption standard at the time, PEM (Privacy Enhanced Mail), and it suffered from a similar design philosophy as the other secure VoIP standards under consideration today. PEM relied on a centrally managed PKI, which has proven to be unworkable. PGP succeeded where PEM failed. I'm hoping the same thing will happen again, for the same reasons.
You've said before that you think you can secure voice communication better than anyone else. Why?
Zimmermann: For the reasons given above. Plus, I'm hoping the trust I've earned with PGP will help speed adoption.
When will Zfone likely be available?
Zimmermann: For the real product, that depends on funding. For the prototype, I may be able to post it on a Web site by the end of August for people to play with.
|
|
|
|
