This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
|8 More Security Stars
PHIL ZIMMERMANN The irony has not escaped Phil Zimmermann that cryptography, once essentially illegal in the United States, is today indispensable.
"In today's legal landscape, cryptography is encouraged; in fact, it's encouraged so much, you can get in trouble for not using it," Zimmermann says, referring to the litany of legislation including state data breach disclosure and notification laws. "The overall legal landscape is friendly toward encryption today. And it was hostile toward encryption a decade ago."
Zimmermann, best known for creating PGP (Pretty Good Privacy), ubiquitous email encryption software, has turned his attention to securing voice over IP encryption protocols. His Zfone project was released a year ago for Mac OS and Linux; a Windows version was made available this year. The software enables encrypted phone conversations to take place over the Internet.
"I've been wanting to encrypt phone calls since before I was interested in encrypting email," Zimmermann says. He points out that the Internet was not ready for VoIP a decade ago--microprocessors were too slow, VoIP standards were absent and broadband was not widespread. "What a difference a decade makes. Now we have a whole VoIP industry springing up.
| It's time to
address it again."
Zimmermann says the need for VoIP encryption is more pressing than email encryption. Until now, the public switching telephone network physically secured phone calls, which are relatively safe from wiretapping and other intrusions. Not so with the Internet.
"With VoIP, it's possible to be wiretapped from the other side of the world because they could inject spyware into one of the many PCs in your building, and that PC could intercept all the packets on your network, including VoIP packets," Zimmermann says. "The asymmetry of difficulty of wiretapping collapses as we migrate to VoIP. If we fail to encrypt VoIP, that asymmetry will collapse. Organized crime, for example, will be able to wiretap cops, judges, prosecutors and listen to them discuss criminal investigations."
Zfone is built on the ZRTP protocol, written by Zimmermann, Jon Callas of PGP Corp. and Alan Johnston. ZRTP initiates during call setup and performs a key exchange based on Diffie-Hellman, then captures VoIP packets and encrypts and decrypts them. Users have a GUI that indicates the security of a call.
Zfone's business model is OEM. "If things go the way they appear to be heading, then there will
be massive deployment of my protocol," Zimmermann says.
Hear the complete interview with Phil Zimmermann at searchsecurity.com/10thanniversary.
This was first published in January 2008