One of the big problems with VOIP is that it lacks encryption. Some manufacturers do provide end-to-end encryption capabilities but only between their products. Its also difficult to assess how good such protocols really are. All that is about to change.
The father of PGP, Phil Zimmerman, has been working away on his ZFone project for some time now and a public beta is expected to be released on March. A trusted name in the crypto community, Phil’s new product is not a stand-alone application. Instead, ZFone loads as “middleware” (Windows, Mac OS X, or Linux PC) and allows users to utilize their favorite SIP softphone. When a call is initiated between to users running ZFone, the program intercepts the packets and encrypts the conversation between the two computers. Features include:
– use of public key encryption but without reliance upon a public key infrastructure (PKI)
– allows the detection of man-in-the-middle (MiTM) attacks by displaying a short authentication string for the users to read and compare (and also utilizes key continuity – caching some key material to use in the next call)
– perfect forward secrecy, meaning the keys are destroyed at the end of the call
The protocol, ZRTP, is being submitted as an IETF Internet Standard. The source code will also be available to download for peer review.