VoIP security prototype gets an airing

LAS VEGAS--More details have emerged on PGP creator Phil Zimmermann's effort to provide a secure way to make phone calls over the Internet.

As earlier reported, Zimmermann has developed a prototype of an Internet telephony application that encrypts calls, preventing anyone from eavesdropping. On Thursday, the creator of the Pretty Good Privacy e-mail encryption program, took the wraps off the project at the Black Hat security confab here.

The prototype, called "zfone," should be available online at the end of August, along with accompanying documentation, Zimmermann said. The VoIP client is based on the open-source Shtoom VoIP phone client, with added cryptography.

The project so far has been funded by Zimmermann himself. He also got some help from Richard Clarke, a former Whitehouse cybersecurity czar, and Internet telephony pioneer Jeff Pulver. Zimmermann is now talking to venture capitalists about his work, hoping to raise anywhere between several hundred thousand and a couple of million dollars, he said.

Once the company takes shape, Zimmermann hopes to make deals with makers of VoIP handsets to adopt his technology. "I think that people prefer to use phones. It is a lot more natural than talking into your laptop," he said.

Initially, however, the encryption technology will be geared to software-based phones for use on computers, he said.

Open calls
Phone calls made over the Internet aren't as safe as calls made on old-fashioned phone networks, Zimmermann said.

"The Internet is a terribly hostile environment," Zimmermann said. "The PSTN has always been a much safer place for phone calls than the Internet." PSTN stands for public switched telephone network, the venerable system for making phone calls.

With voice over Internet Protocol, anyone, anywhere on the Internet can be a threat, noted Jonathan Callas, the chief technology officer of PGP Corporation, which has been working with Zimmermann.

VoIP is increasingly popular because it is cheaper than traditional phone service and in some cases free. Organizations can run their own VoIP service using products from vendors such as Cisco Systems. For consumers, companies including Packet8 and Vonage offer an actual phone that plugs into a broadband connection, while others including Skype offer software that runs on a PC. Most popular instant messaging applications also have VoIP capabilities.

One problem for the encryption technology could be wiretap requirements set by the government. Zimmermann hopes to circumvent those by not dealing with providers of VoIP services who are subject to those requirements.

"The key agreement is only between the two users" of secure phones, he said. "I am trying to make it so that the service providers are not involved."

It is already possible to encrypt VoIP data. However, today's technology public key infrastructure, or PKI, which secures the exchange of data by providing each party with digital certificates that validate their authenticity. Setting up and managing PKI can be laborious. Zimmermann's system does not use PKI.