VoIP encryption to have 'Pretty Good Privacy

LAS VEGAS -- The creator of one of the most famous e-mail encryption programs, Pretty Good Privacy [PGP], plans tomorrow to unveil a prototype for scrambling data streaming through VoIP, helping to prevent people from eavesdropping on private conversations.

"With VoIP there is such a rapid migration from the relative safety of the [public switch telephone network] to the dangerous environment of the Internet that something has to be done soon," Phil Zimmermann said in an interview prior to the Black Hat Briefings security conference in Las Vegas. "We need to protect businesses from criminals who are now operating on a large, organized scale. When VoIP really takes off, they'll target it. Our nation needs to protect its critical infrastructure and secure VoIP will be an important component of that."

VoIP security: Check out SearchSecurity.com's comprehensive VoIP Security Resource Guide VoIP security, PGP style: Phil Zimmermann, cryptographer and creator of the popular Pretty Good Privacy (PGP) e-mail encryption program, is addressing what he deems a genuine need for IP voice encryption. Zimmermann unveiled Zfone. For VoIP, too many threats to count: At Interop New York, a crew of experts discussed what security challenges VoIP creates and offered some helpful tips. One expert called VoIP technology a "moving target" for attacks.

VoIP [Voice over Internet Protocol] makes use of data lines to transmit packets of information like any other network, but raises a host of questions on both security and reliability. Zimmermann's primary focus is on the privacy aspects because VoIP lends itself to eavesdropping. He hopes the new software will help businesses shield themselves against corporate and government espionage.

Zimmermann said the as-yet-unnamed prototype is similar to the PGP phone he developed nine years ago. Though the Internet wasn't ready for the technology then because there were no VoIP protocols or standards and no broadband to send the packets in a timely fashion, he believe its time has come.

He began developing the project using an open-source VoIP client and added encryption. The technology makes it possible to call any Session Initiation Protocol [SIP] phone easily, but won't encrypt the conversation unless both phones use the software. Though peppered with a few problems in its underlying VoIP client Shtoom, Zimmermann is confident he can work out any bugs.

"You could think of PSTN as a well-manicured upscale neighborhood, while the Internet where VoIP is based is a crime-ridden slum, full of phishing attacks, viruses, zombies and denial-of-service attacks," Zimmermann cautioned. "To think of moving our precious phone calls from the benign world of the PSTN to the rough neighborhood of the Internet seems foolish without protecting the calls."