E-mail security hero takes on VoIP

[InfoSec News <alerts () infosecnews org>]

http://news.com.com/E-mail+security+hero+takes+on+VoIP/2100-7352_3-6105589.html

By Declan McCullagh
Staff Writer, CNET News.com
August 15, 2006

LAS VEGAS -- Phil Zimmermann gave free e-mail encryption to the world
more than a decade ago in the form of software called Pretty Good
Privacy.

Now Zimmermann, who became an instant Internet hero in part because of
a threat of federal prosecution for much of the 1990s, is trying to
bring the same kind of encrypted security to Internet phone calls.

Last year, Zimmermann announced software called Zfone, which wraps
voice over Internet Protocol (VoIP) calls in an additional layer of
security. Today, Zimmermann is busy trying to convince VoIP makers to
glue Zfone into their own products and announced the first licensing
deal this week.

"The architecture matters," Zimmermann, who is self-funding Zfone,
said in an interview at the recent Defcon hacker convention here.  
"This is a different way of doing it and it's better."

Zimmermann's efforts to popularize Zfone (which uses its own protocol
called, of course, ZRTP) place him at the center of a growing
political and technical debate about how to secure VoIP
conversations--while allowing police and intelligence agencies to
conduct electronic surveillance.

Claiming that terrorists and drug criminals will use VoIP, the Bush
administration has demanded that broadband Internet providers provide
backdoors for government wiretapping. In June, a federal appeals court
ruled that such requirements were permissible under a 1994 law called
the Communications Assistance for Law Enforcement Act, or CALEA. (The
ruling is being appealed.) Wire taps

Zimmermann's software makes those political debates far less relevant.  
Instead of requiring users to trust their government (or broadband and
VoIP providers), Zfone scrambles the entire conversation from end to
end. Think of it by way of analogy: It's as secure as handing a letter
directly to its recipient--bypassing potentially nosy workers at the
neighborhood post office.

Encrypting VoIP is especially important because computer networks are
not nearly as safe as the public switched telephone network,
Zimmermann says.

"You can have point-and-click wiretapping," he said. "And look at
who's going to be doing it. It's not just going to be the major
government agencies. It's going to be organized crime. It's going to
be criminals on the other side of the world."

Seth Schoen, staff technologist for the Electronic Frontier Foundation
in San Francisco, calls end-to-end encryption "very desirable."

"It takes intermediaries out of the picture in determining whether
your communications are secure," Schoen said. "By analogy, it has
fewer moving parts and fewer things that can go wrong. Or if you
prefer, fewer entities that can betray your privacy."


Crypto-enabled networking gear

Zfone has met with some success. A beta version released in March
(available for OS X, Windows, and Linux) works with VoIP software such
as Gizmo and Free World Dialup that supports the SIP standard.

On Monday, networking gear maker Borderware said that it had licensed
Zfone for use with its SIPassure product. The Toronto-based company's
lineup includes firewalls and gateways, mostly designed for enterprise
use.

Borderware said in a statement that the licensing arrangement extends
"VoIP security provided to organizations from threats such as spam to
denial-of-service attacks to include eavesdropping, spying and
wiretapping."

Translated, that means Borderware customers won't be caught up in what
some reports have alleged to be a huge National Security Agency
dragnet that intercepts massive amounts of data that flow through the
Internet. While it's still possible to figure out who's talking to
whom, the contents of the conversations would in theory remain
private.

The stakes are huge. Cisco Systems already has sold millions of VoIP
phones, and research firm Gartner predicts that in four years, 30
percent of U.S. homes will use only VoIP or cellular phones.

Zfone isn't the first product to encrypt online audio, of course.  
Around the same time that the federal government said it would not
prosecute Zimmermann on charges of exporting PGP, he released a
voice-encryption utility called PGPfone. But the lack of readily
available broadband at the time relegated it to a niche product.

Skype does use encryption, but professional cryptologists have been
consistently skeptical of its security because its implementation is
proprietary and the source code is secret.

An analysis by computer scientist Simson Garfinkel says "it is
impossible to validate the company's claims regarding encryption." A
subsequent presentation (click for PDF) at the BlackHat Europe
conference in March said the right algorithms were being used, but
that there's "no way" to know if a backdoor for eavesdropping exists.

By contrast, in an effort to demonstrate that there are no backdoors,
Zimmermann has made Zfone's source code publicly available. In
addition, the ZRTP protocol has been submitted to the Internet
Engineering Task Force for review.

Still, Zimmermann's effort to build encryption into VoIP hardware
could face a familiar obstacle: the U.S. government.

The FBI has drafted legislation, first disclosed by CNET News.com in
July, that would force makers of networking gear to build in backdoors
for eavesdropping. If approved by Congress, it would prevent companies
from following Borderware's lead--unless they included mandatory
surveillance backdoors for police and spy agencies.

Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.

_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org