Interview hakin9 5/2007

Interview with Philip R. Zimmermann

Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was freely distributed on the Internet in 1991. Zfone, his latest cryptography project provides secure telephony for the Internet.

hakin9 team: What led you to develop VOIP encryption?

Philip R. Zimmermann: I have always been interested in VOIP/secure telephony. In fact, I was quite interested about twenty years ago but it wasn’t possible technologically at the time. Ten years ago I developed the PGP phone. Unfortunately, there was no affordable broadband, no VOIP standards, no VOIP industry – no market. Let’s fast forward to now – market, broadband, – soon most calls are on VOIP.

h9: Are you concerned that Zfone will and can be used by organized crime or terrorist organizations?

PZ: Of course, I worry about that a great deal. I don't know how to stop them unless you completely stop making it available to everyone.

Example: GPS – Initially for military use, today it is used domestically. The 9/11 hijackers bought GPS devices to guide weapons to their targets (but never used them). Should we stop selling GPS because of this? Imagine the effect on economy.

h9: Will some sort of key escrow or back door be allowed to extend CALEA compliancy within the US federal government for Zfone?

PZ: CALEA doesn’t apply to end users. Zphone uses peer to peer key exchange.

(Explaining architecture) Internet & dumb terminals versus smart telecommunications switch & dumb phones; it was natural to build the provider network with encryption. CALEA was designed for the service providers. There are ways to do cryptography without involving the telecommunication companies.

h9: Explain the ZRTP protocol.

PZ: ZRTP is a key agreement protocol which performs Diffie-Hellman key exchange during call setup in-band in the (RTP) media stream which has been established using some other signaling protocol such as Session Initiation Protocol (SIP). This generates a shared secret which is then used to generate keys for a Secure RTP (SRTP) session. One of ZRTP's unique features is that it does not rely on SIP signaling for the key management, nor on any servers at all. It supports encryption by auto-sensing whether the other VoIP client supports ZRTP.

h9: Would you consider transferring standards control of ZRTP to the IETF to allow the protocol more success from a standards body perspective?

PZ: Yes, sure I would, I did that with PGP. I've seen the requirements and participated with the standard bodies. I am fine with them. I also added a field to enable PKI signing. In fact, I have put a lot of effort into PKI and lost tons of money. If you've got PKI already running, use an authentication stream and send it.

h9: Which companies are presently using your product?

PZ: Rip Cord Networks is using it in their desktop phones. CounterPath is using it in their softphone clients. We are integrated in the next release of the Asterisk PBX. We’re also planning open source licensing with Asterisk.

h9: How has your experience been with the dual licensing model? Are more developers taking advantage of the commercial license or the GPL open source license?

PZ: Ubiquity is the prerequisite for success. Skype – proprietary implementation so Zfone doesn’t work with Skype. Yahoo uses different RTP signaling but ZFONE doesn’t care. Zfone works through the media stream.

h9: In your opinion with Microsoft Windows a closed OS, is there a possibility of built in backdoors to circumvent PGP or Zfone encryption?

PZ: Could Microsoft hide something? Yes, they could... You can consider Windows to be insecure. We do the best we can and I think we have done a great job.

h9: Is there any overhead to account for when using the ZRTP protocol?

PZ: VOIP clients don’t always follow the rules. NAT traversal is one of the biggest problems in industry. Skype did it without following standards – that's why they are so successful now. Standards haven’t been as complete as they should. Sometimes zfone fails to detect the RTP stream due to products that do not meet standards.

h9: Would it be harder or easier to develop strong encryption today compared to the late 80's & early 90's?

PZ: Easier now because of the cryptography revolution that started with PGP.

There were three countries in the cryptography revolution – France, Britain, and the US.

US – Had export controls.

France – Domestic prohibition.

Britain (Europe) – export controls and they were trying to impose domestic control.

After a ground swell of support for domestic use of cryptography; France was the first to fall, then Britain, followed by the US in 2000.

Current export restriction countries: North Korea, Sudan, Iran, Syria, Libya, Cuba, Iraq, Afghanistan.

Currently there are no domestic controls in the US.

h9: What are your thoughts on the US Patriot Act?

PZ: The biggest damage from al-Qaeda besides the killing of many people was the response of the US government. We were led in a direction that is bad for the country through unilateral Foreign Policy changes and the abolishment of Habeas Corpus (the protection against illegal confinement, such as holding a person without charges).

Richard and I would like to thank Mr. Zimmermann for taking time out of his busy schedule in talking with us. We both wish him much success on his latest endeavor.

For further information on Zphone, please vist http://zfoneproject.com/

Philip's photograph was made available as a courtesy of Philip Zimmermann. The graphic cartoon icon of Philip Zimmermann was prepared by CPU Magazine

by Terron Williams & Richard Ray