No one would have blamed Phil Zimmerman for coasting after he created Pretty Good Privacy (PGP)... But Zimmermann and others saw big security holes in VoIP. It wasn’t just that average citizens might need protection against government surveillance of their VoIP calls, Zimmermann reasoned. No, this time around, it was government officials themselves who might need protection against eavesdropping... Zimmermann knew that criminals could easily listen in on the VoIP calls of those investigating them.
This concern drove him, Jon Callas and Alan Johnston to create ZRTP, a protocol that imports some of PGP’s best features to Internet telephony. Zimmermann also saw an opportunity to create a secure voice-communications protocol that didn’t rely on the public-key infrastructure (PKI) or any external servers. As a result, ZRTP is a purely peer-to-peer setup that still allows users to thwart various kinds of attacks on their own.
“When two human beings are talking to each other, they are in a position to detect a ‘man in the middle’ by comparing whether or not they’re both using the same session key—using human conversation, verbal comparisons, hashed authentication strings,” Zimmermann says. “It completely eliminates the need for public-key infrastructure, which is quite a complex thing to drag into the VoIP world.”
Zfone, the ZRTP-based product Zimmermann sells through a company with the same name, also incorporates “key continuity,” where you hash the keys just used in the conversation, and they become part of the keys for the next conversation, thus assuring that you’re talking with the same person as the last time. (more) (Zfone beta release available for free download now.)
Got VoIP?
Get this!
Zphone is available as a "plugin" for existing soft VoIP clients, effectively converting them into secure phones.