Zimmermann, Encrypted VoIP, and Uncle Sam

An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.

Cryptome

[Threni]

It's also available from Cryptome:

http://cryptome.org/zfone-agree.htm [cryptome.org]

Re:nothing to hide

[bung-foo]

Really, I mean why do people wear clothes for that matter? I mean we are all made of meat covered in skin. We all know what human bodies look like. Everyone should just go naked from now on. Who needs privacy when you have nothing to hide?

Know how it works...

[GPLDAN]

Phil took an open source VOIP client and added encryption to it. By his own admission, he doesn't know much about how to make VOIP work well, codecs and all that. But his encryption is very clever. It uses Diffie-Helman to generate a per-session key, which is stored in a completely volitile way. i.e. it is destroyed after the call terminates and cannot be retrieved (stored in memory which is then overwritten). So, even if a man (or government) in the middle records the RTP stream and then gets a search warrant to get the key to decrypt the call, it won't be there.

Look for his techniques for peer to peer key setup, which again is very clever and well thought out, to be used in a variety of new ways. I expect you will see a bit-t client soon that can also generate this one time session key between peers. It will be much more computationally intense than what you see bit-t clients like Azureus do to the CPU now, but no more than using S/FTP. Well, maybe more, because of the number of keys being setup and destroyed and the memory allocation needed in a swarm situation. But for peer to peer calls, it's strong and I expect that Phil, who was nearly bankrupted by Uncle Sam, trying to defend himself, will again be the NSA crosshairs. The guy is just a warrior, what can you say? Guys like him and Klein who blew the whistle on AT&T are the ones fighting for privacy and against a police state. And they will not be treated kindly by this administration.

Re:Cryptome

[prz]

I wish Cryptome would not redistribute my Zfone software. This morning I had to upload a new version due to a last minute mistake we made before the release, and Cryptome probably got the uncorrected version. This is beta software in flux, rapidly changing with new updates likely, especially shortly after it hits when we discover early problems. Further, I've just added critical warnngs to my web site about how to do the installation for Windows, and if someone grabs the software and posts it somewhere else, it will lack those warnings. There are good reasons why I want to maintain control of the distribution, especially during the initial public beta. --Philip Zimmermann (prz@mit.edu)

Re:nothing to hide

[hibji]

This is an excellent article that rebuts your argument that is both concise and eloquent: http://wired.com/news/columns/0,70886-0.html?tw=wn _index_23 [wired.com]

Re:Didn't read the tech specs ...

[cswiger2005]

"Man in the middle" attacks are generally mitigated against by using a large initial key (such as the host key used by SSH, or the x.509 cert used by SSL) to guard an exchange of a smaller temporary session key as a shared secret, which is time-sensitive and is regenerated periodicly. You'd have to break the 1024-bit key or whatnot very rapidly, in the matter of a few hours, or else you'd be too late to do a replay or MitM attack.

This has a reasonable set of diagrams which describe the process:

http://www.netip.com/articles/keith/diffie-helman. htm [netip.com]

It helps to have a registry or Certifying Authority available which has a list of published public keys...

Re:Offtopic: on the subject of Bush criticism:

[Anonymous Coward]

Republicans control all the branches of the government. What you see now is the best they have.

Criptographical illiteracy

[hummassa]

Sorry, sir, but you are completely wrong. ANY VoIP-capable computer can encrypt a 12kbps stream with a 1024-bit key. And -- unless the whole academia is wrong and all the current off-the-shelf crypto algorithms have crypto flaws, no, not every supercomputer in the face of the earth could break the encryption. One would have to get the keys in another fashion to listen to the talks.

Re:The laws and privacy concerns

[slashflood]

Its time for the encryption phones to start appearing on the market.

That is exactly what my company is offering: IAX2/SIP (Asterisk) over VPN (FreeS/WAN, OpenVPN). It's getting easier to convince businesses to use encrypted communication channels nowadays.

Re:Obviously a politically biased article

[Anonymous Coward]

"I'm not going to defend the indefensible. ... I'm prepared to defend a very aggressive anti-terrorist campaign, and I'm prepared to defend the idea that the government ought to know who's making the calls, as long as that information is only used against terrorists, and as long as the Congress knows that it's underway. But I don't think the way they've handled this can be defended by reasonable people. It is sloppy." -- Newt Gingrich

http://movies.crooksandliars.com/Hannity-Colmes-Ne wt-Phones.wmv [crooksandliars.com]

Why does Newt Gingrich, the former Republican speaker of the House, hate America...?

Re:Know how it works...

[Farce Pest]

Phil has a FAQ that, among other things, describes how man-in-the-middle attacks are eliminated or at least mitigated.

http://philzimmermann.com/EN/zfone/index-faq.html [philzimmermann.com]

It wasn't all Bush

[randomErr]

I would like to point out that wire/phone taps have been a staple of American history:

From Wikipedia [wikipedia.org]

During the American Civil War, government officials under President Abraham Lincoln eavesdropped on telegraph conversations. Wiretapping has also been carried out under most Presidents, usually with a lawful warrant since the Supreme Court ruled it constitutional in 1928. Domestic wiretapping under the Clinton administration led to the capture of Aldrich Ames, a former Soviet spy in 1994. Robert F. Kennedy monitored the activity of Martin Luther King Jr. by wiretapping in 1966.

Re:SIP Zfone?

[wackysootroom]

See Phil Zimmermann's FAQ [philzimmermann.com] about Zphone.

According to him, there are no ATA devices or any other hardware-based Voip phones that support ZRTP (the zfone encryption protocol). I doubt that Vonage or any other large VoIP service provider will ever offer a phone with ZRTP support due to pressure from the US government.

According to my understanding, Zfone will intercept any SIP call made from your PC and encrypt it on the fly. This means that you should be able to use any software based SIP phone with Zfone.

Also OTR Messaging

[Kadin2048]

Just as an addition, the "Off-the-Record (OTR) Messaging [cypherpunks.ca]" plugin for Gaim offers a similar setup for instant messaging. (You can use it with other IM clients as well; it works with stock AIM as an HTTP proxy and is built in to Adium for Mac.)

In my opinion, it's a much better system than some of the other IM encryption setups, which give you authentication but not any forward secrecy or deniability. Basically it forces you to authenticate the other party via a side-channel, rather than using a trust framework a la PGP, but in return the authentication can't be turned around and used against you after the fact.

It does this via an unauthenticated Diffie-Hellman key exchange, and then creating and exchanging a per-session symmetric key within that channel, which is destroyed at the end of the conversation. More technical information is available here [cypherpunks.ca].

In short it provides more authentication than Trillian's setup, more deniability than gaim-encryption, and doesn't require any of the infrastructure required by SILC. The only difficulty in using it is getting other people to use a supported client program and to install the plugin / generate a key.

I think there's room for both types of encrypted communications: ones that provide a trust framework and robust authentication, and ones that provide for more deniability (and allow the computerized century equivalents of a face-to-face meeting, where if both people desire it, they can deny the contents of the communication later).

Re:Know how it works...

[Skapare]

Tapping and recording the bit stream is not a case of Man-in-the-middle attack [wikipedia.org]. This is just simple Eavesdropping [wikipedia.org]. The Diffie-Hellman key exchange [wikipedia.org] is in fact vulnerable [wikipedia.org] to a Man-in-the-middle attack. To address this, what is needed is some form of authentication, such as Public-key cryptography [wikipedia.org] or Password-authenticated key agreement [wikipedia.org].

I think Phil Zimmermann [philzimmermann.com] is smart enough about cryptography to know this. So hopefully, authentication will also be a part of this. The focus of Zfone [philzimmermann.com], however, is the fact that the original Session key [wikipedia.org], which could be subject to forced disclosure, is not kept. If there is no authentication, then a true Man-in-the-middle attack is possible, but requires something more sophisticated than the fiber optic splitters used in the secret [slashdot.org] "study group" rooms.

Re:Cryptome

[Anonymous Coward]

I'm sure world governments feel the same way about cryptome redistrubuting government documents that are immune to their retroactive tampering. In fairness, you're widely regarded as a 'good guy' and I don't see the harm in John Young adding your comment (above) as a note to that page. Thank you for all your hard work.

Re:Brave New World

[pjrc]

Some time ago, I implemented 3DES on an 8 bit microcontroller. In assembly language, it took about 2000 instruction cycles to run all 16 rounds of DES, plus the initial and final permutation, and the xor for CBC.

So if you run it 3 times for triple des, that's approx 6000 instructions for every 8 bytes, or about 750 instruction cycles per byte. At 8000 bytes/sec for voice quality audio, my fast DES code would only need 6 MIPS on an 8 bit microcontroller. A slower version in C is readily available for free, which runs about 5X slower than my hand optimized assembly, requiring 30 MIPS.

Certainly strong encryption is feasible in real time for voice audio, even on very inexpensive 8-bit chips.

Re:Cryptome

[prz]

Although the US has ended most of their export controls for crypto software, there are still some reasonable export controls in place, namely, to prevent the software from being exported to a few embargoed nations, such as North Korea, Iran, Libya, Syria, and Sudan. And for commercial encryption software that you actually pay for (not this free public beta), there are now requirements to check customers against government watch lists as well, which is something that companies such as PGP comply with these days. PGP Corp volunteered to host the public beta software on their server, with all the appropriate checks in place. That's why you have to register, to make sure you are not in an embargoed country, to keep me in compliance with U.S. export laws. Been there, done that. -Philip Zimmermann

Re:Cryptome

[Anonymous Coward]

You may want to a do little history check concerning the original release of PGP by Phillip Zimmermann, and the the charge the NSA made of "arms dealling". I think you will understand this precaution.

Re:Cryptome

[forand]

Mr. Zimmermann, the registration page that is being refered to only asks for you email address, thus your argument is invalid in this case.
http://www.philzimmermann.com/EN/zfone/index-regis tration.html [philzimmermann.com]
So why do you require registration?

Re:The laws and privacy concerns

[jthill]

s/b http://law.richmond.edu/jolt/v2i1/sergienko.html [richmond.edu]

They give you the list

[grahamsz]

Yeah they pretty much hand you the lists

http://www.treas.gov/offices/enforcement/ofac/sdn/ delimit/index.shtml [treas.gov]

Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.

The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.

Misplaced paranoia

[prz]

>Mr. Zimmermann, the registration page that is being refered to only asks for you email >address, thus your argument is invalid in this case. So why do you require registration? I told you why already. The wording of your posting implies you don't believe me. If you need more convincing, go to my Zfone FAQ page (http://philzimmermann.com/EN/zfone/index-faq.html ) where I address this particular question in great detail. If you still don't believe me after reading that, you are welcome to not use the product, and apply for a full refund. --prz

Re:I have zero problems with that

[Anonymous Coward]

If I understand this software correctly, the keys are generated and discarded on the fly. Asking for the keys in that context is akin to asking for the contents of the A register last Tuesday. What do you say when you are legally required to turn over information that you have never seen, no longer have and never even knew that you had?

Example of why you're right

[Beryllium Sphere(tm)]

The Scarfo case [cnn.com]. An accused mobster was using PGP, the FBI got a warrant, and tapped his computer with what sounds like a hardware keylogger.

Re:Cryptome

[ocelotbob]

Speak for yourself, not this nebulous "us". Some of us don't care if a product is GPL. Many slashdotters are more concerned about productivity than ideology, and Mr. Zimmerman is one of the good guys here.

This is why libertarians...

[SonicSpike]

...inherently distrust government no matter who is in power. Libertarians always view the government as untrustworthy, expansive, over-reaching, and inefficient by it's very nature. Thus the idea is to limit the government to its most basic and fundamental operations as set forth in the Constitution by our founding fathers.

The lines between the Dems and the Reps here in the US have blurred to the point that distinction is negligible.

Re:What's this about Skype being cracked?

[RPoet]

You should never trust closed-source and purposefully undocumented crypto, and not be surprised when it gets cracked.