Zimmermann, Encrypted VoIP, and Uncle Sam 325
An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.
Cryptome (Score:2, Informative)
http://cryptome.org/zfone-agree.htm [cryptome.org]
Re:nothing to hide (Score:5, Informative)
Know how it works... (Score:5, Informative)
Look for his techniques for peer to peer key setup, which again is very clever and well thought out, to be used in a variety of new ways. I expect you will see a bit-t client soon that can also generate this one time session key between peers. It will be much more computationally intense than what you see bit-t clients like Azureus do to the CPU now, but no more than using S/FTP. Well, maybe more, because of the number of keys being setup and destroyed and the memory allocation needed in a swarm situation. But for peer to peer calls, it's strong and I expect that Phil, who was nearly bankrupted by Uncle Sam, trying to defend himself, will again be the NSA crosshairs. The guy is just a warrior, what can you say? Guys like him and Klein who blew the whistle on AT&T are the ones fighting for privacy and against a police state. And they will not be treated kindly by this administration.
Re:Cryptome (Score:5, Informative)
Re:nothing to hide (Score:4, Informative)
Re:Didn't read the tech specs ... (Score:3, Informative)
This has a reasonable set of diagrams which describe the process:
http://www.netip.com/articles/keith/diffie-helman
It helps to have a registry or Certifying Authority available which has a list of published public keys...
Re:Offtopic: on the subject of Bush criticism: (Score:1, Informative)
Criptographical illiteracy (Score:3, Informative)
Re:The laws and privacy concerns (Score:3, Informative)
That is exactly what my company is offering: IAX2/SIP (Asterisk) over VPN (FreeS/WAN, OpenVPN). It's getting easier to convince businesses to use encrypted communication channels nowadays.
Re:Obviously a politically biased article (Score:1, Informative)
http://movies.crooksandliars.com/Hannity-Colmes-N
Why does Newt Gingrich, the former Republican speaker of the House, hate America...?
Re:Know how it works... (Score:3, Informative)
http://philzimmermann.com/EN/zfone/index-faq.html [philzimmermann.com]
It wasn't all Bush (Score:4, Informative)
Re:SIP Zfone? (Score:3, Informative)
According to him, there are no ATA devices or any other hardware-based Voip phones that support ZRTP (the zfone encryption protocol). I doubt that Vonage or any other large VoIP service provider will ever offer a phone with ZRTP support due to pressure from the US government.
According to my understanding, Zfone will intercept any SIP call made from your PC and encrypt it on the fly. This means that you should be able to use any software based SIP phone with Zfone.
Also OTR Messaging (Score:3, Informative)
In my opinion, it's a much better system than some of the other IM encryption setups, which give you authentication but not any forward secrecy or deniability. Basically it forces you to authenticate the other party via a side-channel, rather than using a trust framework a la PGP, but in return the authentication can't be turned around and used against you after the fact.
It does this via an unauthenticated Diffie-Hellman key exchange, and then creating and exchanging a per-session symmetric key within that channel, which is destroyed at the end of the conversation. More technical information is available here [cypherpunks.ca].
In short it provides more authentication than Trillian's setup, more deniability than gaim-encryption, and doesn't require any of the infrastructure required by SILC. The only difficulty in using it is getting other people to use a supported client program and to install the plugin / generate a key.
I think there's room for both types of encrypted communications: ones that provide a trust framework and robust authentication, and ones that provide for more deniability (and allow the computerized century equivalents of a face-to-face meeting, where if both people desire it, they can deny the contents of the communication later).
Re:Know how it works... (Score:3, Informative)
Tapping and recording the bit stream is not a case of Man-in-the-middle attack [wikipedia.org]. This is just simple Eavesdropping [wikipedia.org]. The Diffie-Hellman key exchange [wikipedia.org] is in fact vulnerable [wikipedia.org] to a Man-in-the-middle attack. To address this, what is needed is some form of authentication, such as Public-key cryptography [wikipedia.org] or Password-authenticated key agreement [wikipedia.org].
I think Phil Zimmermann [philzimmermann.com] is smart enough about cryptography to know this. So hopefully, authentication will also be a part of this. The focus of Zfone [philzimmermann.com], however, is the fact that the original Session key [wikipedia.org], which could be subject to forced disclosure, is not kept. If there is no authentication, then a true Man-in-the-middle attack is possible, but requires something more sophisticated than the fiber optic splitters used in the secret [slashdot.org] "study group" rooms.
Re:Cryptome (Score:1, Informative)
Re:Brave New World (Score:4, Informative)
So if you run it 3 times for triple des, that's approx 6000 instructions for every 8 bytes, or about 750 instruction cycles per byte. At 8000 bytes/sec for voice quality audio, my fast DES code would only need 6 MIPS on an 8 bit microcontroller. A slower version in C is readily available for free, which runs about 5X slower than my hand optimized assembly, requiring 30 MIPS.
Certainly strong encryption is feasible in real time for voice audio, even on very inexpensive 8-bit chips.
Re:Cryptome (Score:5, Informative)
Re:Cryptome (Score:1, Informative)
Re:Cryptome (Score:3, Informative)
http://www.philzimmermann.com/EN/zfone/index-regi
So why do you require registration?
Re:The laws and privacy concerns (Score:3, Informative)
They give you the list (Score:4, Informative)
http://www.treas.gov/offices/enforcement/ofac/sdn
Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.
The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.
Misplaced paranoia (Score:2, Informative)
Re:I have zero problems with that (Score:1, Informative)
Example of why you're right (Score:4, Informative)
Re:Cryptome (Score:2, Informative)
This is why libertarians... (Score:4, Informative)
The lines between the Dems and the Reps here in the US have blurred to the point that distinction is negligible.
Re:What's this about Skype being cracked? (Score:3, Informative)