The man who almost single-handedly invented desktop encryption, Phil Zimmermann, is to demonstrate a new telephony-oriented encryption program at this week's Black Hat security event in Las Vegas.
The new encryption software -- currently known only by its internal development moniker "Zfone" - has been designed to stop voice-over-IP (VoIP) traffic from being snooped on, especially across broadband links. It sits on top of the open-source Shtoom VoIP client software, with Zimmermann's encryption integrated into the program.
When Techworld spoke to Zimmermann, he confirmed the software uses a Diffie-Hellman -based public key design. This is session-based, with keys generated for exchange between clients on a per-call basis. Both VoIP clients would need to run the program to set up such a secure link, which makes it similar in principle to the famous PGP desktop encryption program written by him in the early 1990s.
In contrast to emerging VoIP encryption protocols, Zimmermann rejected a full Public Key Infrastructure (PKI) approach to security, fearing it would add layers of complexity to the software.
The current prototype also includes a simple form of authentication, whereby callers can exchange a short series of digits with one another. If the two sets of digits read out by the callers don't match then this is evidence that the call has been intercepted by a third party.
It is not the first time Zimmermann has used encryption with VoIP. A decade ago, he made available an application called PGPfone, though this achieved only modest success and is no longer current. Now, however, VoIP is booming, with the conversion of domestic voice calls to the medium looking to be only a matter time.
"Nine years ago, what I did it with PGPfone, the Internet hadn't taken off and there was no broadband," said Zimmermann.
The product is in its early stages, and Zimmermann is currently in discussion with potential investors for further development funds. To this point, it has been worked on using his own money and some from VoIP expert Jeff Pulver. He was not able to give any timescale for the release of a beta version, but was considering making it available to developers that wanted it.
"I didn't have any money when I wrote PGP so hopefully it (development) won't take very long," he said.
There is some disagreement about whether VoIP applications currently need encryption security, with a recent Gartner presentation pointing out that there were few known tools for eavesdropping with such traffic. However, history demonstrates conclusively that this will change as the application grows in popularity. It looks as if Zimmermann could have come up with a VoIP encryption application at just the right moment this time.