PGP for VoIP, Anyone?
Source: asteriskblog.com
Most of us who lived in the days pre-WWW remember PGP. Actually anyone who has ever needed to send email or any message securely would remember PGP, which stands for Pretty Good Privacy. These days, it’s the de facto standard for encryption. But this is for data. What about voice? Specifically, what about VoIP?
Apparently, PGP’s creator Phill Zimmerman is still working on making our lives more secure from eavesdropping, and yes, his work now is about VoIP. VoIP news shares a feature where Zimmerman’s latest project is introduced.
The concept behind this latest endeavor is the possibility of man-in-the-middle attacks in VoIP conversations. In public switched telephony (your plain old telephone system), it was easy for governments to eavesdrop into conversations because they have power/control over the telcos. But it’s not so, the other way around. But with VoIP, the playing field is leveled. Now individuals can eavesdrop on anyone (with the right tools), even government officials. Therefore there’s a need to ensure top grade security, especially for sensitive calls.
Zimmerman and company created a product, Zfone, which incorporates the best features of PGP into voice communications. And this is done by doing away with the public key setup that most security systems use. This is purely peer-to-peer, meaning only you and the person on the other line should have this “key” and you can be sure that it’s the same person you are talking to. It’s like meeting someone face to face the first time. The next time you meet, you’ll know it’s that same person.
Zfone, the ZRTP-based product Zimmermann sells through a company with the same name, also incorporates “key continuity,” where you hash the keys just used in the conversation, and they become part of the keys for the next conversation, thus assuring that you’re talking with the same person as the last time.
“You check to see if there was a previous, retained shared secret from the earlier call,” Zimmermann says, “and if there was, you mix it in with the key that you’re generating for this call, so that if there was no man in middle in the last call, there cannot be one in this call.”
The numbers generated by this process should match up, even a hundred conversations later, Zimmermann says. “You don’t have to lie awake at night worrying about whether they heard you talking six months ago in that call that you forgot to check.”
Zfone offers plenty of features, including a GUI for management, and a packet interceptor that turns software and hardware VoIP clients into secure connections. Zfone also has licensing deals with other VoIP providers and open-source solutions, including Asterisk. Zimmerman is hoping this could be adopted as a standard in the VoIP industry and community.
