PGP creator cooks up Net phone protection

Phil Zimmermann plans to unveil a project that uses crypto to secure VoIP calls at the Black Hat security conference.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
2 min read
Phil Zimmermann hopes that his secure Net phone-calling efforts will be as successful as his Pretty Good Privacy e-mail encryption program.

Zimmermann has developed a prototype of an Internet telephony application that encrypts calls to prevent eavesdropping. He plans to unveil the prototype on Thursday at the Black Hat Briefings security industry conference in Las Vegas.

"I am revealing this now because I want to help shape the direction of secure VoIP," Zimmermann said in an interview. VoIP stands for Voice over Internet Protocol, the technology used to enable people to make phone calls using an Internet connection.

VoIP is increasingly popular because it is cheaper than traditional phone service or, in some cases, free. Organizations can run their own VoIP service using products from vendors such as Cisco Systems. For consumers, companies including Packet8 and Vonage offer an actual phone that plugs into a broadband connection, while others such as Skype sell software that runs on a PC. Most popular instant messaging applications also have VoIP capabilities.

Security of VoIP systems is getting more attention in general. Cisco Systems identified several vulnerabilities in its products earlier this month. The flaws could lead to denial-of-service attacks on Cisco IP telephony networks, which are used by businesses.

Within the next two years, 97 percent of new phone systems installed in North America will be VoIP-based or will use a combination of traditional and VoIP technology, according to research firm Gartner. Cisco claims to have sold some 5 million VoIP phones to customers throughout the world.

It is already possible to encrypt VoIP data. However, today's technology uses the public key infrastructure coding system, which secures the exchange of data by providing each party with digital certificates that validate their authenticity. Setting up and managing PKI can be laborious. Zimmermann's system does not use PKI.

Zimmermann hopes to start a business that will sell products based on the encryption technology. It could also be licensed to other companies for use in their Internet telephony lineup. "I will have my own products, and there will be agreements with other companies to use it in their products as well," he said.

The security expert said while his prototype can be used to make calls, it still has some problems to be ironed out and is not close to being a finished product. "It is not mature enough," he said. "The crypto is real solid, but the VoIP client has some bugs." Zimmermann said. The application doesn't have an official name yet.

The VoIP client is based on the open-source Shtoom VoIP phone client. Zimmermann said he added cryptography to it.

This is not the first time that Zimmermann has worked on putting protections on Internet telephony. Almost 10 years ago, he launched PGPfone, a little ahead of its time. "The Internet was not ready then," he said.