[IP] Phil Zimmerman's latest salvo in the privacy wars....
starting to install in Gizmo -- "djfarber" djf
Begin forwarded message:
From: David Boyes <dboyes@xxxxxxxxxxxxxx>
Date: April 8, 2006 3:31:18 AM EDT
To: dave@xxxxxxxxxx
Subject: Phil Zimmerman's latest salvo in the privacy wars....
Check out the last paragraph. For IP if you so choose. A Pretty Good
Way to Foil the NSA
By Ryan Singel
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
|
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
Also by this reporter
02:00 AM Apr, 03, 2006
How easy is it for the average internet user to make a phone call
secure enough to frustrate the NSA's extrajudicial surveillance program?
Wired News took Phil Zimmermann's newest encryption software, Zfone,
for a test drive and found it's actually quite easy, even if the
program is still in beta.
Zimmermann, the man who released the PGP e-mail encryption program to
the world in 1991 -- only to face an abortive criminal prosecution
from the government -- has been trying for 10 years to give the world
easy-to-use software to cloak internet phone calls.
On March 14, Zimmermann released a beta version of the widely
anticipated Zfone. The software is currently available only for OS X
(Tiger) and Linux, though a Windows version is due in April.
The open-source software manages cryptographic handshakes invisibly,
and encrypts and decrypts voice calls as the traffic leaves and
enters the computer. Operation is simple, and users don't have to
agree in advance on an encryption key or type out long passcodes to
make it work.
Would-be beta testers must provide Zimmermann with an e-mail address.
That seems an odd requirement for a privacy product, but the process
itself was painless, and an e-mail with a download code arrived
immediately.
In our test, Zfone installed easily and quickly on OS X, though there
were some mild hitches in actually getting it to work.
Zfone is designed to work with VoIP clients that use the industry
standard SIP protocol, and has been tested with clients such as X-
lite, Free World Dialup and Gizmo Project.
Following Zfone's instructions, Wired News was able to fairly quickly
configure Gizmo Project to work with the software. But initial
efforts to make phone calls with the system failed. Eventually, a
little trial and error revealed that Zfone needed to be started
before Gizmo Project, and that to see if a secure connection has been
created, both Gizmo and Zfone's interface needed to be visible on the
desktop.
Once that happens, and the caller on the other end also has Zfone
installed, the interface cleanly indicates that the call is secure.
It also displays two different three-character codes. One party reads
his code, e.g. "CF8," while the other says hers, "TKP."
This bit of cloak-and-dagger isn't just fun, it helps prevents what
is known as a man-in-the-middle attack, in which an eavesdropper sits
between two callers, intercepting their cryptographic keys and then
relaying the communications between them. If someone tries that with
Zfone, the spoken codes won't match what the callers see on their
screens.
Using Zfone didn't add any noticeable latency or distortion to calls
made with Gizmo Project. Once it's up and running, you're simply
talking on the phone.
But make no mistake: to eavesdroppers, Zfone is anything but routine.
The protocol is based on SRTP, a system that uses the 256-bit AES
cipher and adds to that a 3,000-bit key exchange that produces the
codes callers can read off to one another. It has been submitted to
IETF for approval as an internet standard, and by most accounts is
strong enough to defy even the most sophisticated code-breaking
technologies, from a hacker's packet sniffer to the acres of
computers beneath Ft. Meade.
That makes Zfone the "most secure telephone system anyone has ever
used," according to PGP Corporation's CTO Jon Callas, who worked with
Zimmermann on the protocol
Of course, security is nice, but the value of an end-to-end crypto
system is partially a function of its popularity. If you're the only
one using the system, there's nobody to talk to.
The Gizmo Project ostensibly uses its own encryption for Gizmo-to-
Gizmo calls, though the company won't reveal what algorithms they
use. But primarily, Zfone is competing with the built-in crypto that
comes with Skype, which is closed-source, uses its own proprietary
protocols, and employs its own encryption scheme -- which,
significantly, is not available for inspection and peer-review
(though some have evaluated (.pdf) it and others purportedly cracked
it anyway).
Those are all troubling signs for a security system. But as a
standard element in Skype's popular VoIP software, this unproven
crypto has already achieved a market penetration that will likely
elude Zimmerman's system.
So as nice as it is, unless Zfone is adopted by mainstream VoIP
providers, it will probably occupy the same limited market niche as
the hyper-secure PGP program that ruffled so many government feathers
over a decade ago.
PGP didn't become standard e-mail fare outside of the community of
geeks, cypherpunks and those with special privacy needs, like human
rights workers and people living in countries where the government
routinely spies on its citizens without oversight. Fortunately for
Zimmerman, there are a lot more of us these days.
David Boyes
Sine Nomine Associates
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/