In 1991, Philip Zimmermann developed a humble-sounding electronic encryption technology known as Pretty Good Privacy. In fact, it was very good--so good that not even the federal government has been able to crack it, a fact that has made Zimmermann a folk hero to privacy advocates and a headache to law enforcement.Link.
Now Zimmermann, a fellow at Stanford Law School's Center for Internet and Society, has found himself back in the fiery debate between federal investigators and those who oppose their snooping--this time thanks to ZRTP, a technology for encrypting Internet telephone calls. ZRTP throws a wrench in the Bush administration's controversial warrant-free wiretapping program and its proposed legal immunity for the telecommunications companies. So far, not even teams of supercomputers and cyberspies at the National Security Agency have cracked ZRTP. That means anyone who uses Zimmermann's Zfone software, a ZRTP-enabled voice over Internet Protocol (VoIP) program available for free on his Web site, can skirt the feds' wiretapping altogether.
Forbes.com spoke with Zimmermann about how his small company has been able to produce an encryption product that not even the U.S. government can break, what ZRTP means for national security, and why cutting off the government's access to our phones is necessary to keep out the truly malicious spies.
Forbes: From a security and espionage perspective, what's the difference between traditional telephony and VoIP?
Zimmermann: In the traditional telephone system, Alice and Bob are connected by a single path. The simple thing is to wiretap that path in the middle at the phone company's switch. With VoIP, the packets take many paths through the cloud to get to their destination, so traditional wiretapping isn't nearly as easy. Instead, it's easiest to tap it near the endpoints. That, in fact, is very easy to do--almost trivial.
So unencrypted VoIP is less secure than traditional telephony?
Vastly less secure. The traditional public telephone system that we've been using for the last hundred years is fairly well protected. It's easy for the government to wiretap it by going to the phone company, but not easy for anyone else to wiretap it. If anyone else wanted to wiretap someone's conversations, they'd have to find a place close to his or her office, get some alligator clips, and try to find the right wire out of thousands to clip them onto, and hope that nobody spots you doing it.
With VoIP, it's not nearly so hard. All you just need is to take over a computer on the same network as the VoIP traffic with some spyware. That computer intercepts the VoIP conversations and stores them on a hard disk as .wav files that can be browsed later. A wiretapper could even choose to target the phone calls of a company's general counsel talking to an outside law firm, or the CEO talking to his counterpart at another company.
It's much easier because you don't have to physically be there. You can be in China or Russia and target a company without obtaining a visa or entering the country you're trying to infiltrate.
So unencrypted VoIP is vulnerable not just to government wiretapping but also to cyber-criminal spying.
With traditional telephony, our threat model was mostly government wiretapping. With VoIP, anyone can wiretap us: the Russian mafia, foreign governments, hackers, disgruntled former employees. Anyone.
Historically, there's been an asymmetry between government wiretapping and everyone else wiretapping that's been in the government's favor. As we migrate to VoIP, that differential collapses. The government itself is just as vulnerable. Wiretappers can reveal details of ongoing investigations, names and personal details of informants, conversations between officials and their wives about what time they pick up their kids at school.
So you’re arguing that we have to encrypt VoIP to protect our calls from criminals, regardless of whether it defeats government wiretapping?
We have no choice. If we had the luxury of continuing to use the traditional phone system and not VoIP, we wouldn't be compelled to encrypt calls. The traditional phone system is well-protected enough that, although the government can wiretap it, organized criminals can't.
Everyone thinks that VoIP is the future of telephony. It's cheaper, more versatile, more feature-rich. So technological pressure herds us towards VoIP; we'll have to encrypt it. Wiretapping will become so easy that the criminals--not just governments--will be able to do it routinely. There will be insider trading, blackmail, organized crime spying on judges and prosecutors, key witnesses killed before they can testify.
What exactly are ZRTP and Zfone, and how do they work?
ZRTP is a protocol that defines how VoIP phones talk to each other in an encrypted way. Zfone is a program that we've developed for end users that employs ZTRP. They both use strong cryptographic algorithms to negotiate cryptographic keys between two parties without the participation of any phone company. The keys are strings of bits, and without them, you can't decrypt the conversation. They're automatically created at the start of the call, and destroyed at the end. Only the two parties know the keys, and the phone company isn't in a position where it can give the keys to a third party.
And that negotiation can't be intercepted?
It could be intercepted, but it wouldn't be useful. The keys are negotiated between the two parties using an algorithm known as the Diffie-Hellman algorithm, which makes it computationally infeasible for a third party to reconstruct the keys by intercepting the key negotiations. That's the beauty of public key cryptography. Your opponent can intercept all the packets of data in the negotiation, and yet he can't figure out what the keys are, unless he has nearly infinite computing resources. He'd need more computing resources than the human race currently has and the entire lifetime of the universe to work on it.
And with these shared keys, you can encrypt communication in a way that can't be unscrambled?
Once the two parties have keys, they can use the advanced encryption standard, which is in wide use today. It's a cipher that's very difficult to reverse without knowing the keys. And when I say "very difficult," again I mean that the computations would take millions of times the age of the universe.
So you've created a protocol that not even thousands of NSA agents working for years could unscramble?
Well, they're using computers, not people. In fact, they're using supercomputers that attempt every possible key. But they wouldn't be able to guess the key to decrypt a ZRTP-encrypted conversation.
In fact, they're using the same kind of encryption for their own classified data. If they knew how to break it, they probably wouldn't trust it enough to use it themselves.
Plenty of Americans believe that government wiretapping--even without a warrant--is legitimate. But encrypted VoIP calls could mean the end of that kind of wiretapping as well.
Yes, it would. But if you think about how intelligence agencies fight al-Qaida: they get almost as much information from traffic pattern analysis as they do from the content. There'll be a phone call from Pakistan to a cellphone in New York, and that phone will call six other cellphones. And so they're interested in who's calling whom. They look for the patterns, which will still be visible even if the content is encrypted.
Those patterns often tell them more than the contents of the call. The contents might be "The wedding cake will be ready on Saturday." Well, it's probably not a wedding cake, and it's probably not really Saturday either.
From the point of view of law enforcement, traffic analysis can be quite useful. But for a criminal trying to get information for insider training, he's only interested in the content. So encryption actually hits criminals harder than it hits law enforcement agencies.
The Communications Assistance for Law Enforcement Act (CALEA) mandates that telecommunications equipment provide a backdoor for interception by law enforcement. Does that mean that ZTRP is illegal?
CALEA imposes requirements on service providers like phone companies. But Zfone negotiates the keys between end users, where CALEA doesn't apply. The phone company doesn't have access to the keys--only the users do. CALEA is rendered moot.
What's your take on the debate over the Bush Administration's program of warrant-free wiretapping and what it means for civil liberties?
If the government has a court-ordered wiretap against someone who they believe has probable cause, there's still a legal place for that. The driftnet fishing approach, where anyone can be wiretapped at any time, however, raises some constitutional questions.
The objective of ZRTP is not to stop the NSA from doing its job. It's to protect society from organized crime and foreign governments. We have to encrypt VoIP to do that. That may have effects on lawful interception of telecommunications, but those effects have to be weighed against the terrible effects of not doing it.
The government claims it only wants to wiretap a tiny fraction of a percent of all phone calls. To let the government keep wiretapping those phones, we'd have to expose all of our phone calls to organized crime.
As the debate heats up over immunity for telecommunications companies that have enabled government wiretapping, is interest in your products growing?
Interest is growing, but it will be mainly driven by the growth of VoIP. For now, VoIP isn't the dominant way that people make phone calls, but in a few years it will surpass traditional telephony. And when VoIP grows big enough to hold an attraction for organized crime, they're going to be all over it--just like they're all over the rest of the Internet today.