LAS VEGASPhil Zimmermann, the celebrated cryptographer who created PGP (Pretty Good Privacy) for e-mail encryption, is taking a shot at securing VOIP communications.
Zimmermann took the stage at the Black Hat Briefings here to show off Zfone, a prototype application that encrypts voice-over-IP calls to thwart man-in-the-middle eavesdroppers.
Using the open-source, cross-platform softphone Shtoom and the Diffie-Hellman key agreement protocol, Zimmermann has developed a session-based encryption tool that lets two users on a SIP (Session Initiation Protocol)-based VOIP connection verify each other’s identity to avoid snooping.
“I don’t think I have to make the case too much as to why you need secure VOIP,” Zimmermann said in a chat with reporters after his presentation. “As we move our phone calls from the relative safety of PSTN [public switched telephone networks], we will have to deal with the weaknesses and vulnerabilities associated with the Internet.”
“Every day, I look at my server console, I see attempts to break in. It’s nonstop. As our phone calls move from the PSTNs to the Internet, not to protect those calls seems like a very bad idea,” he added.
Zimmermann is no stranger to securing voice communications. In the early 1990s, he created the PGPfone software package, which combined speech compression and cryptography protocols to secure voice calls. But the idea never took off, because, as Zimmermann explains it, “the Internet just wasn’t ready for it.”
“In those days, no one had broadband. SIP did not exist. I had to devise my own protocols to do Internet telephone, so PGPfone was created with improvised protocols,” he said.
“Now, the Internet is ready for it,” he said, citing the heady growth in VOIP communication technology. “There are some nice protocols today for supporting VOIP, and there’s a big industry being built on these protocols. This prototype is much like PGPfone, but it’s brought up to date with the modern VOIP protocols.”
Zimmermann, who became the target of a criminal investigation after he released the PGP as freeware in 1991, is pounding the pavement in search of funding to make Zfone a commercial venture.
He has received bridge funding from VOIP pioneer Jeff Pulver and former White House terrorism advisor Richard Clarke, and some technical and business development help from PGP Corp., but the immediate plan is to score a round of venture capital investment to speed up development of Zfone for the wider market.
“I have talked to some investors and there is a significant amount of interest. We might see something very soon,” Zimmermann said. He also said he would be happy with either a seed round in the range of $750,000 or a Series A round in the range of $5 million.
“There is a need for secure VOIP. I think I can do it better than anyone else. I have some reason to think the market will trust me,” he said.
The Zfone prototype is a Mac-only application, but Zimmermann acknowledges that a Windows version would be ideal to make a commercial venture successful. He said he plans to publish a paper detailing the encryption protocol by the end of August and release the source code for Zfone for peer review.
Zimmermann said he believes that approach will give his product a leg up on Skype, the popular peer-to-peer application. “Skype doesn’t tell you how it works, so you don’t know if the encryption works or not. That’s not a knock on Skype, but we just don’t know a lot about it.”
“When you use Skype, you’re going through servers somewhere in Europe. They’re using an encryption protocol that’s not known or available. If you don’t tell people what kind of encryption you’re using, you’re telling them to assume they are safe,” he said.
Asked what target market Zfone is aimed at, Zimmermann said, “There are a couple of different approaches I’m looking at. There are the companies that make the VOIP phones – we would like to form relationships with those companies to put our stuff in their firmware.”
Zimmermann spent a lot of time at the Black Hat conference pitching the product, answering probing questions from the audience and explaining the decision to avoid the “complexities” of PKI [public key infrastructure] cryptography.
“Years ago, people stumbled into e-mail without thinking about protecting the privacy. That’s where PGP came from. I think the average user who had enjoyed the safety of PSTN for all these years is going to get a rude awakening when they discover how bad things can be on the Internet,” he said.
He dismissed a suggestion from research firm Gartner Inc. that the VOIP threat was overblown, saying, “The Internet is a terribly hostile environment. If you attach a computer to the Internet without a firewall, it becomes infected within a few minutes. What used to be attacks from kids fooling around is now organized crime. Today, it’s these giant botnets doing all kinds of sophisticated attacks.
“There is a genuine need for voice encryption. There are programs today that record all VOIP phone calls, organize them, save them as MP3 files. There are snooping programs for eavesdropping out there. It is possible to intercept a VOIP call, and, for businesses, encrypting those calls is going to be important.”
With Zfone, Zimmermann said he believes he has a “relatively simple, understandable protocol” that does not require huge infrastructure investment. “It works. The crypto is solid. I can use it to make calls to any SIP client and it works pretty well.”