There are a variety of ways around Diffie-Hellman spoofing. The current STU-III phones from AT&T, Motorola, etc., use several approaches - there's the Crypto Igniter Key dongles that you need to authorize your phone, which provides one form of out-of-band authentication (partly authentication of the DH keys, but more important is authentication that the person at the other end is probably cleared for the level of classification you're running the call at); there's also an LCD display on the phone that shows the other person's DH half-key, so you can do voice verification if you want. They may do other stuff as well. Scott Collins mentioned the "digital signature on RSA keys", which the Capstone phones probably do even though Clipperphones probably won't. There are also tricks about sending half the key at a time, though they're apparently still hackable. Bill