philip zimmermann on what's next after pgp
TRANSCRIPT
BY LAURIANNE MCLAUGHLIN
W ill zFone—a new encryp-tion program for voice-over-IP (VoIP) phone
calls—do for VoIP what PrettyGood Privacy (PGP) did for email?Philip Zimmermann believes it can.Zimmermann, the creator of PGPemail encryption software, plans torelease zFone, a peer-to-peerencryption product for VoIP in Feb-ruary. Zimmermann passionatelybelieves these phone calls requiregood encryption technology—without it, online criminals will tar-get VoIP calls the way they’veattacked the Web at large.
PGP’s colorful story startedwhen Zimmermann conceived andproduced it for human rights work-ers who needed secure email incountries with oppressive govern-ments. After he published the PGPsource code on the Internet in1991, the US government con-ducted a criminal investigation,claiming that Zimmermann hadbroken export rules for crypto-graphic software. The case wasdropped in 1996.
Today, Zimmermann works as aspecial advisor and consultant forPGP Corporation, consults for vari-ous companies and industry groupson cryptography issues, and serves asa fellow at Stanford Law School’sCenter for Internet and Society.
With S&P, he discussed thelessons he learned from PGP and the
thinking and technology behindzFone. He also shared his take on re-cent US government rulings on themonitoring of VoIP calls, and evolv-ing VoIP security standards.
S&P: What are the differences be-tween your current VoIP privacyproject, zFone, and PGPfone?
Zimmermann: PGPfone was a pro-ject I worked on 10 years ago. At thattime, there was no VoIP industry.No one had broadband. There wereno standards for VoIP. I had to de-velop everything from scratch. Butnow, the Internet is ready for VoIP.There’s this burgeoning VoIP indus-try, so it seems like a good time to re-visit the question and do it again,only better, and compliant withVoIP standards.
S&P: Are you essentially trying tosolve the same set of problems?
Zimmermann: Yes, I want to make itso you can whisper in someone’s ear,even if their ear is 1,000 miles away.
I’m not trying to create the VoIPclient. There are plenty of VoIPclients out there that do a fine job.Instead, I’m adding the crypto pro-tocol to existing VoIP clients. zFonewill allow you to use any VoIP clientyou want on your laptop computerand present you with a GUI that tellsyou the call is secure.
S&P: What is the main challenge in
adding the crypto protocol to theVoIP client?
Zimmermann: You can either inte-grate it inside different vendors’VoIP clients or write a separatepiece of code which sits in the IPstack and watches the packets goingin and out of your computer, look-ing for VoIP packets. At the begin-ning of a VoIP call, it reacts andnegotiates a key between the twoparties and encrypts the packets onthe fly. This is the approach I’mworking on to start.
In the long run, we’ll start to seethat some VoIP clients will have myprotocol integrated inside them. Imight even license a well-featuredVoIP client and have a house-brandedsecure VoIP client at some point.
S&P: Will you release the sourcecode for zFone?
Zimmermann: I will be publishingmy source code, as I did with PGP.It’s a long-standing tradition. I thinkit’s the only way to get people to trustyour crypto.
S&P: There are some efforts now tostandardize VoIP security. Is this hin-dering the introduction of strong se-curity features?
Zimmermann: I’ve looked at someof the standards that are currentlyunder consideration. Most of themhave some problems. They either
Interview
10 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/06/$20.00 © 2006 IEEE ■ IEEE SECURITY & PRIVACY
Philip Zimmermann onWhat’s Next after PGP
Interview
depend on servers—requiring youto trust servers—or they involve per-sistent key material that could becompromised later after the call isfinished, and thus retroactively com-promise the call.
They lack perfect forward se-crecy. Perfect forward secrecy is theproperty where you delete the keysat the end of the phone call, so youcan’t reconstruct the plain text fromintercepted ciphertext after the call isfinished. My protocol has perfectforward secrecy.
S&P: What’s the problem with a cen-tralized approach to VoIP security?
Zimmermann: Some of theschemes are terribly insecure. Theyall involve the participation of serv-ers. Some of them require trustingthe servers, which I think is a prob-lem. If you’re calling someone inChina, and his VoIP provider is acompany operating under the influ-ence of the Chinese government,how do you know it’s a secure call? Iprefer a protocol that relies only onthe two parties to negotiate their keyswithout the participation of servers.My protocol is strictly peer-to-peerin the way it negotiates session keys.
Another thing that the existingprotocols have that I regard as prob-lematic is some of them depend onthe public-key infrastructure.
S&P: Which aspect of your profes-sional work on encryption has givenyou the most satisfaction?
Zimmermann: What’s given methe most satisfaction is PGP beingused by human rights groups, bypeople operating in countries withoppressive governments, in envi-ronments where people are tryingto kill each other. I feel good when Iget emails from people in those en-vironments, people saving lives. Ofcourse, I’m glad to see PGP makingmoney, but what really warms myheart is when I see it used for itsoriginal intended purpose.
S&P: What were your most interest-ing personal experiences bringingPGP to the mass market?
Zimmermann: One particularly funthing we did as part of the crypto rev-olution was publish the PGP sourcecode in books in OCR [optical char-acter recognition] format. We cameup with some well-designed tools todo that in a way that could be easilyscanned. By doing that, we blew ahole in the export controls in the1990s and accelerated the demise ofthose export controls.
S&P: What were the main businesschallenges as you brought PGP tomarket?
Zimmermann: Getting businessesto recognize the need to encrypt. Ittook some years for that to happen,but now it’s happening more andmore. Part of it is because of somelegislative help. For example, nowthere’s a law in California, and otherstates, that requires companies todisclose to their customers if theylose customer data, if someone stealsa laptop with 200 customer namesand social security numbers. It’s ter-ribly embarrassing to the company.But if they encrypt those files, theydon’t have to disclose it. That’s in-creasing demand for encryption.
Other laws are increasing the inter-est, such as HIPPA [Health Insur-ance Portability and AccountabilityAct] and Sarbanes-Oxley.
S&P: PGP was one of the first appli-cations to put users in close contactwith encryption and key manage-ment. What did you learn fromPGP about making privacy toolseasy to use?
Zimmermann: In the beginning, Iwas trying to make privacy toolsthat were strong first, and easy touse second. But over the years, Ilearned it was important to makethem easy to use.
Ease of use is not just having abetter GUI, it’s also dealing with theuser’s inability to grasp abstractionsof public-key infrastructures. Non-technical users don’t want to learnabout key certification and certifi-cate authorities. It’s the conceptualhurdles that are the stumblingblocks, not the quality of the graphi-cal user interface. And so in the lastcouple of years, PGP Corp. has in-troduced products that make it un-necessary for users to learn thoseconcepts.
S&P: Is quantum computing a realor imagined threat to encryptiontechniques?
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 11
About Philip Zimmermann
Philip Zimmermann, the creator of Pretty Good Privacy (PGP), previously
was a software engineer specializing in cryptography and data security,
data communications, and real-time embedded systems. He has won nume-
rous technical and humanitarian awards related to his cryptography work.
Zimmermann earned a BS in computer science from Florida Atlantic
University in 1978.
He is also a member of the International Association of Cryptologic
Research, the ACM, and the League for Programming Freedom. Zimmermann
serves on the Roundtable on Scientific Communication and National Security, a collaborative
project of the National Academies and the Center for Strategic and International Studies. He
chairs the OpenPGP Alliance (www.openpgp.org) and serves on the board of directors for
Computer Professionals for Social Responsibility. Zimmermann also serves on advisory boards
for Santa Clara University’s computer engineering department, Anonymizer.com, Hush Com-
munications, Encentuate, and Qualys.
Interview
Zimmermann: I don’t really worrytoo much about quantum comput-ing right now. It’s extremely difficultto do anything practical with quan-
tum computing. You have to build aquantum computer that operates inisolation from the rest of the uni-verse, and that’s pretty difficult.When they build a quantum com-puter that can do something useful,like what a normal computer coulddo, then I’ll take it more seriously.
S&P: Modern encryption plays a bigrole in commerce. Given the strengthof today’s algorithms and implemen-tations, what are the current weaklinks in an end-to-end system?
Zimmermann: I think the weaklinks are mostly the operating sys-tems, especially Windows. The en-cryption is strong enough that youusually don’t have to worry aboutsomeone breaking the encryption.Think of encryption as having a steeldoor on your house that’s three feetthick—but someone could bust awindow, stick their hand in, turn thedoorknob, and open the door—because of the OS.
S&P: What’s the next big thing inencryption technology?
Zimmermann: The most techni-cally interesting thing going on rightnow is hash functions. In the lastcouple of years, there’s been a real-ization in the crypto communitythat we don’t know how to do goodhash functions because they’ve beenbroken, especially by some Chineseresearchers who broke SHA-1 [Se-cure Hash Algorithm-1], which is a
very widely used hash function. It’sused in the digital signature standardand a lot of other things, too.
Many of the hash functions that
we use in cryptography suffer frommonoculturalism, sort of like theIrish potato famine. That blightwiped out their whole economy.We’ve made a similar mistake withour hash functions. There are a num-ber of [them] that are all related archi-tecturally. Someone has successfullyattacked that architecture, so nowthere’s a lot of anxiety in the cryptocommunity that our most importanthash functions are in jeopardy.There’s now a focus on learning tomake better hash functions.
We learned a lot about block ci-phers. Lots of cryptographers fo-cused on block ciphers for manyyears. As a result, we came up withan excellent Advanced EncryptionStandard. We need something simi-lar for a new hash function.
S&P: The encryption genie is out ofthe bottle. What purpose is served, ifany, when governments try to banencryption?
Zimmermann: There are a lot ofcountries that ban a lot of things. Ithink in Burma they ban fax ma-chines. In China, they censor the In-ternet. Banning crypto, I think, isalong the same lines. It’s mostly re-pressive regimes that do it.
S&P: The US Federal Communica-tions Commission (FCC) has ruledthat the Communications Assistancefor Law Enforcement Act (CALEA)applies to VoIP. This means VoIPmust be designed in accordance with
US Federal Bureau of Investigation(FBI) standards. What will this meanto encrypted VoIP?
Zimmermann: CALEA requiredthe phone companies to provideplaintext feeds to law enforcement.There wasn’t much encryption forphone calls, so it wasn’t so hard forthe phone companies to do that.With VoIP, it becomes a little moreproblematic.
Some of the VoIP serviceproviders have the VoIP traffic pass-ing through their servers, and inthose cases, the VoIP providers willbe able to direct that stream of voicepackets to law enforcement.
But if you look at the directionthat the IETF [Internet EngineeringTask Force] standards for VoIP aremoving in, they’re moving in a direc-tion that has the voice packets flow-ing directly from peer to peer. Thecalls are set up by the SIP [SessionInitiation Protocol] servers that theVoIP service providers are running,but those SIP servers are essentiallyjust brokering the calls, introducingthe parties to each other to tell themwhat IP addresses they’re using. Thevoice packets themselves often canflow between the two parties with-out passing through the servers oper-ated by the VoIP service provider. Inthis case, it will be difficult for theVoIP service provider to direct any-thing to law enforcement, because itwon’t be seeing the voice packets.
The law as it stands is an attemptto control the behavior of the VoIPservice providers. The IETF VoIPstandards do not require the voicepackets to pass through the VoIP ser-vice provider.
S&P: Do you see this FCC ruling ashaving a broader impact than VoIP,perhaps affecting instant messaging?
Zimmermann: The governmentseems to be moving in the direction ofintercepting more Internet commu-nications, so I would be concernedabout that.
12 IEEE SECURITY & PRIVACY ■ JANUARY/FEBRUARY 2006
Think of encryption as having a steel door on
your house that’s three feet thick—but someone
could bust a window, stick their hand in, turn the
doorknob, and open the door—because of the OS.
Interview
S&P: Why is encryption for VoIPcalls important?
Zimmermann: The threat modelfor interception of PSTN [publicswitched telephone network] phonecalls is fairly narrow. It can be done atthe switch, which is typically thegovernment doing it. Or it can bedone close to the target’s office, withalligator clips on the copper wiresleading into his facility. Or it can bedone at the international fiber-opticcables that carry the long distancetraffic, and that’s typically the intelli-gence agencies.
But with VoIP calls, the threatmodel is greatly expanded. Youcould have a PC in your building in-fected with hostile spyware from theRussian mafia and it could interceptall the packets on your local network,including VoIP packets, and store theVoIP packets, and organize them likea TiVo player—so that someone
could do point-and-click wiretap-ping from the other side of the world.
They could, for example, zero inon calls made from the in-housecounsel to the outside law firm, orfrom the company’s CEO to anotherCEO to discuss an acquisition. Orga-nized crime could use that informa-tion to do insider trading. This couldbe done by people on the other sideof the world—the Chinese govern-ment, the Russian mob, freelancehackers, or terrorist organizations.
If you look at what’s happeningtoday with the Internet as a whole,the kind of attacks we see rampant onthe Internet—identity theft, phishingattacks, distributed denial-of-serviceattacks—most of these are done byorganized crime because it’s lucrativefor them to do it. When VoIP be-comes as popular as we think it willbecome, it will reach a thresholdwhere it, too, becomes a lucrative tar-get. And when it does, it will be at-
tacked with the same zeal that we seenow attacking the rest of the Internet.So, before we move our preciousphone calls from the well-manicuredneighborhood of the PSTN [publicswitched telephone network] to thecrime-ridden slum of the Internet,we’d better encrypt them.
Laurianne McLaughlin is a freelancetechnology writer based in Massachusetts.
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 13
The IEEE Security & Privacy Community Forumprovides a place for dis-cussion and debate aboutsecurity and privacytopics that impact oursystems, our networks,and our lives.
Discuss the latest in security topics
https://www.ieeecommunities.org/securityandprivacy