Desktop Encryption Developer at Work on VoIP Security

The man who helped safeguard e-mail with his Pretty Good Privacy (PGP) desktop encryption program is now at work on ensuring no one can eavesdrop on Voice over Internet Protocol (VoIP) conversations.

Phil Zimmermann was scheduled to demonstrate his VoIP security program at Black Hat Briefings , an Internet security conference in Las Vegas, today.

Currently, VoIP data is sent unscrambled, which means anyone with the technical knowledge can intercept conversations. Zimmermann's program, which he said should be ready for public use within a year, scrambles -- or encrypts -- the data during transmission. Both the caller and the receiver of the call must be using the software for it to work.

Minimal Risk

While VoIP eavesdropping is possible, one analyst said it's not a huge security risk at this time.

"Eavesdropping is a very real possibility in the VoIP world, both within the enterprise and at home," Ed Moyle, president, SecurityCurve, told TechNewsWorld. "However, most users don't need to be scared about this -- most Web traffic is also susceptible to eavesdropping, but users of the Internet realize this and behave accordingly (such as by not submitting personal information or financial information via e-mail or over other cleartext channels)."

Moyle added that he had heard of no security breaches resulting from VoIP eavesdropping. However, as technologies gain adoption, they become bigger and more enticing targets for hackers.

Keep It Simple

Zimmermann said he is trying to keep the complexity out of the system, partly by avoiding full Public Key Infrastructure (PKI). PKI uses a pair of encrypted keys to ensure the privacy of Internet transactions.

Moyle said it will be important to keep any encryption system unobtrusive. "Home users prefer VoIP systems that are simple and robust -- in general, encryption can make the systems more complex and less robust," he said.

"Vonage, for example, uses specialized hardware to allow the interoperation of existing telephones with VoIP; this hardware makes the system simpler to use. A system like [Zimmermann]'s would need to be integrated into these schemes in such a way as to preserve the simplicity -- the current requirement that a PC run software to encrypt the communication channel would be an obstacle in a hardware-based scenario like Vonage. In addition, the requirement that the users at both ends run the software could pose an obstacle to deployment."

The Way to Go?

Moyle also questioned whether this is the best route to take.

"I think it makes sense to look to standards bodies like the ITU-T [International Telecommunications Union's Telecommunication Standardization Sector] for development of the underlying security protocols rather than a particular individual or company," he said. "Standardization ensures interoperability, and interoperability is probably the most important factor to consider when dealing with voice technologies."