Encryption Guru Returns With VoIP Software

The man who almost single-handedly invented desktop encryption, Phil Zimmermann, brought his new telephony-oriented encryption program to this week's Black Hat security event in Las Vegas.

The new encryption software--currently known only by its internal development moniker "Zfone"--is designed to stop Voice-over Internet Protocol (VoIP) traffic from being snooped on, especially across broadband links. It sits on top of the open-source Shtoom VoIP client software, with Zimmermann's encryption integrated into the program.

Zimmermann told Techworld that the software uses a Diffie-Hellman-based public key design. This method is session-based, with keys generated for exchange between clients on a per-call basis. Both VoIP clients would need to run the program to set up such a secure link, which makes Zfone similar in principle to the famous PGP desktop encryption program Zimmerman wrote in the early 1990s.

In contrast to emerging VoIP encryption protocols, Zimmermann's scheme rejected a full Public Key Infrastructure (PKI) approach to security, fearing it would add layers of complexity to the software.

Your Digits or Mine?

The current prototype also includes a simple form of authentication, whereby callers exchange a short series of digits with one another. If the two sets of digits don't match, then the call has likely been intercepted by a third party.

It is not the first time Zimmermann has used encryption with VoIP. Nearly a decade ago, he created an application called PGPfone, though it achieved only modest success and is no longer current. "Nine years ago...the Internet hadn't taken off and there was no broadband," he said. Now, however, VoIP is booming, with the conversion of domestic voice calls to the medium looking to be only a matter time.

The product is in its early stages, and Zimmermann is currently in discussion with potential investors for further development funds. To this point, he has created the program using his own money and some from VoIP expert Jeff Pulver. He did not give any timeline for the release of a beta version, but was considering making it available to developers who want it.

"I didn't have any money when I wrote PGP, so hopefully [development] won't take very long," he said.

There is some disagreement about whether VoIP applications currently need encryption security, with a recent Gartner presentation pointing out that few known tools allow for eavesdropping with this form of communication. However, history demonstrates that this will change as VoIP gains popularity.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon