[Clips] A Pretty Good Way to Foil the NSA

R. A. Hettinga rah at shipwright.com
Tue Apr 4 10:38:29 PDT 2006 

--- begin forwarded text


  Delivered-To: clips at philodox.com
  Date: Tue, 4 Apr 2006 13:35:56 -0400
  To: Philodox Clips List <clips at philodox.com>
  From: "R. A. Hettinga" <rah at shipwright.com>
  Subject: [Clips] A Pretty Good Way to Foil the NSA
  Reply-To: rah at philodox.com
  Sender: clips-bounces at philodox.com

  <http://www.wired.com/news/technology/1,70524-0.html>

  Wired News

  By Ryan Singel
  02:00 AM Apr, 03, 2006

  How easy is it for the average internet user to make a phone call secure
  enough to frustrate the NSA's extrajudicial surveillance program?

  Wired News took Phil Zimmermann's newest encryption software, Zfone, for a
  test drive and found it's actually quite easy, even if the program is still
  in beta.

  Zimmermann, the man who released the PGP e-mail encryption program to the
  world in 1991 -- only to face an abortive criminal prosecution from the
  government -- has been trying for 10 years to give the world easy-to-use
  software to cloak internet phone calls.

  On March 14, Zimmermann released a beta version of the widely anticipated
  Zfone. The software is currently available only for OS X (Tiger) and Linux,
  though a Windows version is due in April.

  The open-source software manages cryptographic handshakes invisibly, and
  encrypts and decrypts voice calls as the traffic leaves and enters the
  computer. Operation is simple, and users don't have to agree in advance on
  an encryption key or type out long passcodes to make it work.

  Would-be beta testers must provide Zimmermann with an e-mail address. That
  seems an odd requirement for a privacy product, but the process itself was
  painless, and an e-mail with a download code arrived immediately.

  In our test, Zfone installed easily and quickly on OS X, though there were
  some mild hitches in actually getting it to work.

  Zfone is designed to work with VoIP clients that use the industry standard
  SIP protocol, and has been tested with clients such as X-lite, Free World
  Dialup and Gizmo Project.

  Following Zfone's instructions, Wired News was able to fairly quickly
  configure Gizmo Project to work with the software. But initial efforts to
  make phone calls with the system failed. Eventually, a little trial and
  error revealed that Zfone needed to be started before Gizmo Project, and
  that to see if a secure connection has been created, both Gizmo and Zfone's
  interface needed to be visible on the desktop.

  Once that happens, and the caller on the other end also has Zfone
  installed, the interface cleanly indicates that the call is secure. It also
  displays two different three-character codes. One party reads his code,
  e.g. "CF8," while the other says hers, "TKP."

  This bit of cloak-and-dagger isn't just fun, it helps prevents what is
  known as a man-in-the-middle attack, in which an eavesdropper sits between
  two callers, intercepting their cryptographic keys and then relaying the
  communications between them. If someone tries that with Zfone, the spoken
  codes won't match what the callers see on their screens.

  Using Zfone didn't add any noticeable latency or distortion to calls made
  with Gizmo Project. Once it's up and running, you're simply talking on the
  phone.

  But make no mistake: to eavesdroppers, Zfone is anything but routine. The
  protocol is based on SRTP, a system that uses the 256-bit AES cipher and
  adds to that a 3,000-bit key exchange that produces the codes callers can
  read off to one another. It has been submitted to IETF for approval as an
  internet standard, and by most accounts is strong enough to defy even the
  most sophisticated code-breaking technologies, from a hacker's packet
  sniffer to the acres of computers beneath Ft. Meade.

  That makes Zfone the "most secure telephone system anyone has ever used,"
  according to PGP Corporation's CTO Jon Callas, who worked with Zimmermann
  on the protocol

  Of course, security is nice, but the value of an end-to-end crypto system
  is partially a function of its popularity. If you're the only one using the
  system, there's nobody to talk to.

  The Gizmo Project ostensibly uses its own encryption for Gizmo-to-Gizmo
  calls, though the company won't reveal what algorithms they use. But
  primarily, Zfone is competing with the built-in crypto that comes with
  Skype, which is closed-source, uses its own proprietary protocols, and
  employs its own encryption scheme -- which, significantly, is not available
  for inspection and peer-review (though some have evaluated (.pdf) it and
  others purportedly cracked it anyway).

  Those are all troubling signs for a security system. But as a standard
  element in Skype's popular VoIP software, this unproven crypto has already
  achieved a market penetration that will likely elude Zimmerman's system.

  So as nice as it is, unless Zfone is adopted by mainstream VoIP providers,
  it will probably occupy the same limited market niche as the hyper-secure
  PGP program that ruffled so many government feathers over a decade ago.

  PGP didn't become standard e-mail fare outside of the community of geeks,
  cypherpunks and those with special privacy needs, like human rights workers
  and people living in countries where the government routinely spies on its
  citizens without oversight. Fortunately for Zimmerman, there are a lot more
  of us these days.

  --
  -----------------
  R. A. Hettinga <mailto: rah at ibuc.com>
  The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
  44 Farquhar Street, Boston, MA 02131 USA
  "... however it may deserve respect for its usefulness and antiquity,
  [predicting the end of the world] has not been found agreeable to
  experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
  _______________________________________________
  Clips mailing list
  Clips at philodox.com
  http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list