Presented at DEF CON 15 (2007), Aug. 3, 2007, noon (50 minutes)

The time for secure encrypted VoIP for the masses is upon us. The Zfone Project has come a long way in the two years since Phil Zimmermann demoed a prototype at Black Hat. It's now a family of products, running on Symbian and Windows mobile phones, soft VoIP clients on Mac OS X, Windows, Linux, and in the Asterisk PBX, in both open source and commercial products. Zfone lets you whisper in someone's ear from a thousand miles away. Phil will be explaining the ZRTP protocol used by Zfone, and demoing it. The ZRTP protocol does not rely on a PKI. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. This means your VoIP security doesn't depend on VoIP service providers who don't always act with your best interests in mind. ZRTP performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. And it supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP. The law enforcement community will be understandably concerned about the effects encrypted VoIP will have on their ability to perform lawful intercepts. But what will be the overall effects on the criminal justice system if we fail to encrypt VoIP? Historically, law enforcement has benefited from a strong asymmetry in the feasibility of government or criminals wiretapping the PSTN. As we migrate to VoIP, that asymmetry collapses. VoIP interception is so easy, organized crime will be able to wiretap prosecutors and judges, revealing details of ongoing investigations, names of witnesses and informants, and conversations with their wives about what time to pick up their kids at school. The law enforcement community will come to recognize that VoIP encryption actually serves their vital interests.


  • Philip R. Zimmermann
    Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. <


Similar Presentations: