To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/voip/0,3800004463,39150784,00.htm

Email encryption guru dabbles with VoIP
Pretty good phone privacy?

By Joris Evers

Published: Wednesday 27 July 2005

Phil Zimmermann hopes that his secure net phone-calling efforts will be as successful as his Pretty Good Privacy (PGP) email encryption program.

Zimmermann has developed a prototype of an internet telephony application that encrypts calls to prevent eavesdropping. He plans to unveil the prototype on Thursday at the Black Hat Briefings security industry conference in Las Vegas.

"I am revealing this now because I want to help shape the direction of secure VoIP," Zimmermann said in an interview. VoIP stands for voice over Internet Protocol, the technology used to enable people to make phone calls using an internet connection.

VoIP is increasingly popular because it is cheaper than traditional phone services or, in some cases, free. Organisations can run their own VoIP service using products from vendors such as Cisco Systems. For consumers, companies including Packet8 and Vonage offer an actual phone that plugs into a broadband connection, while others such as Skype sell software that runs on a PC. Most popular instant messaging applications also have VoIP capabilities.

Security of VoIP systems is getting more attention in general. Cisco Systems identified several vulnerabilities in its products earlier this month. The flaws could lead to denial of service attacks on Cisco IP telephony networks, which are used by businesses.

Within the next two years, 97 per cent of new phone systems installed in north America will be VoIP-based or will use a combination of traditional and VoIP technology, according to research firm Gartner. Cisco claims to have sold some five million VoIP phones to customers throughout the world.

It is already possible to encrypt VoIP data. However, today's technology uses the public key infrastructure coding system, which secures the exchange of data by providing each party with digital certificates that validate their authenticity. Setting up and managing PKI can be laborious. Zimmermann's system does not use PKI.

Zimmermann hopes to start a business that will sell products based on the encryption technology. It could also be licensed to other companies for use in their internet telephony line-up. "I will have my own products, and there will be agreements with other companies to use it in their products as well," he said.

The security expert said while his prototype can be used to make calls, it still has some problems to be ironed out and is not close to being a finished product. "It is not mature enough," he said. "The crypto is real solid but the VoIP client has some bugs."

The application doesn't have an official name yet.

The VoIP client is based on the open source Shtoom VoIP phone client. Zimmermann said he added cryptography to it.

This is not the first time the PGP creator has worked on putting protections on internet telephony. Almost 10 years ago, he launched PGPfone, a little ahead of its time. "The internet was not ready then," he said.

Joris Evers writes for CNET News.com