Grainne July 27, 2005 10:16 AM


I particularly like the quote:

“The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum,” Zimmermann said. “To move all of our phone calls from the PSTN to the internet seems foolish without protecting it.”

Davi Ottenheimer July 27, 2005 11:03 AM

Go Phil! Surprised he hasn’t melted yet from the heat (in Vegas).

This is great news since it is already literally trivial to sniff and download VoIP traffic to sound files (see or for example)

I thought Phil, in classic form, put it delicately when he said “The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum”.

Interesting to note that he claims no PKI is necessary to manage keys and that the first release will be on the Mac. PGP certainly works well without key servers, but it introduces other security issues and hardly scales well…

Nonetheless, ease of use (KISS) is definitely a plus, which is why his system is likely to be adopted and deployed widely long before the Voice over IP Security Alliance ( releases their first treatise on how VoIP security ‘should’ work.

Brian Thomas July 27, 2005 11:13 AM

No problem at all, Arik; all of CALEA’s requirements of the carriers are met. too bad for them it doesn’t put any requirements on the individual users…

Surprised that this has taken this long, actually, but I usually am…

Scott Laird July 27, 2005 11:28 AM

There are specs for encrypted SIP and RTP, and a number of common devices support them, like most of Sipura’s lineup. They presumably suffer from the usual X.509 issues, but the specs exist and they’re usable. What is really need is wider interoperability and better device support, not yet another incompatible spec to muddy the waters.

Warren July 27, 2005 11:30 AM

My question is how will this interface to traditional phones that have no en/decryption software? Apparently both parties need to have the software installed, which only helps those of us who decide to install it.

Bruce Schneier July 27, 2005 11:36 AM

@ Warren

My guess is that the phone will attempt to negotiate encryption with the remote phone. If the remote phone has no encryption software, then the phone call won’t be encrypted.

This only works if both sides have the same software.

Bruce Schneier July 27, 2005 11:37 AM

“I wonder – how would encrypted voice calls reconcile with CALEA?”

CALEA is a requirement on U.S. telecommunications carriers, not on individuals making and receiving phone calls.

Aaron Grattafiori July 27, 2005 11:48 AM

I’m pretty sure its going to be released this year at defcon. Excellent Idea, should be an intresting talk.

“The Unveiling of My Next Big Project”
-Philip R. Zimmermann, Creator, Pretty Good Privacy
10am, Friday July 29th

Clive Robinson July 27, 2005 11:51 AM

With Skype already doing a propriatry system with encryption they have taken quite a large chunk of the market.

Phil’s solution will presumably be open, and therefore has a chance of success.

The problem that the IETF etc forget is that nobody realy listens to them any more, it’s down to time to market.

I think that will be the key to VoIP at the end of the day (kind of VHS-v-Betamax) the best standard is almost certainly not going to win, the first “easy to use” system in the market is most likley to win.

The question is will “Open Source” tip the balance in it’s favour.

@Warren Skype now do an interesting little thing with your home/spare phone number in that you can have all calls comming in on that number sent to them, they forward on to you if you are connected VM otherwise. So you can set up your office in any city you please…

Aaron Grattafiori July 27, 2005 11:53 AM

Ah.. my bad. Released as in public availability.. not as in specs or information. And I think its going to be talked about at black hat, which was last weekend. Sorry for the double post.

Hard to believe nobody thought of this sooner…

Henning Makholm July 27, 2005 12:23 PM

It is hard to believe that anyone these days would design a VoIP protocol that did not have some form of encryption built in as a standard feature.

I neither use VoIP nor plan to do so, so it is news to me that the systems currently being pitched to consumers are not encrypted as a matter of course. I would not be surprised by weak encryption, or by good encryption used in stupid ways that won’t work. But no encryption at all? My head spins.

This should be shouted from the rooftops.

Tom Chiverton July 27, 2005 12:33 PM

Man, the first person to make an encrypted,` SIP-compatable, VOIP service concatenator (like Jabber, but for VOIP) is going to make a killing.

hype July 27, 2005 2:59 PM

“Skype is encrypted now.” Posted by: bruce at July 27, 2005 11:28 AM

Really? Prove it. It’s closed source last time I checked, so HOW CAN WE VERIFY this claim ourselves?

Bruce Schneier July 27, 2005 3:09 PM

“I’m pretty sure its going to be released this year at defcon.”

I think it’s being announced at DefCon, but not released. Hopefully someone who is at DefCon right now will post more information.

Koray Can July 27, 2005 3:14 PM

Why doesn’t VOIP come standard with encryption anyways ? How come the “pioneers” didn’t see the need to encrypt it ?

steveo July 27, 2005 3:49 PM

Why no encrpytion before?

Two reasons:

Originally, encryption/decryption was considered too lag intensive. IPSec was always an option between nodes, but one which frequently resulted in unintelligible static to everyone, Alice and Bob included.

Secondly, it was presumed that VOIP would mostly be run within an enterprise, and be converted to standard POTS on the outside, be that via ground start trunks or T-1 interfaces or ATM over a leg of telco fiber. Physical LAN cable was considered secure. Ergo, the lack of an encryption spec.

Currently, VOIP is just as encrypted as POTS.

Pat Cahalan July 27, 2005 5:03 PM

@ hype

Really? Prove it. It’s closed source last time I checked, so HOW
CAN WE VERIFY this claim ourselves?

Snoop your own traffic? How do haxors usually reverse engineer these sorts of things? Not that I’m defending Skype mind you, but what does closed source have to do with anything?

Unrelated, I used to do telco work and the entire concept of VOIP makes my blood chill. Why is it considered a good idea to take a voice conversation (which by its very nature requires priority traffic) and dump it into the commodity network (when TCP/IP is by its orginal design un-prioritized traffic?) I agree it makes sense for certain types of businesses in certain infrastructural arrangements, but this is definitely putting lipstick on a pig…

Terence Tan July 27, 2005 6:16 PM

Ahh, PGPfone.

PGPfone had a really good way of dealing with the encryption keys. Normally you’d have to exchange keys beforehand, and then verify the fingerprints to make sure that nobody was tampering with the keys and eavesdropping.

In PGPfone, it set up a new random key each call. The fingerprints for both parties appeared on the screen, and to verify yours, you simply read it over the phone line to the other party. Then they did likewise. If they matched, you could talk. It’s hard to launch a man-in-the-middle attack against that unless you can impersonate voices really well…

It struck me as an elegant solution to what’s currently a hard problem in encryption.

Bruce Schneier July 27, 2005 6:34 PM

“It struck me as an elegant solution to what’s currently a hard problem in encryption.”

That’s the standard solution. It’s what the AT&T secure phone — the one that became the Clipper phone — does. It’s what every secure-phone design I’ve ever seen, save those that have centrally distributed certs like the STU-II does. I’m sure it’s what Phil’s new phone design does.

bruce July 27, 2005 8:08 PM

“I’ve never had any warm fuzzy feelings about Skype.

Posted by: Bruce Schneier at July 27, 2005 03:09 PM”

Bruce, maybe, but now that Lenn Pryor is there I feel a lot better.

Arik July 28, 2005 12:37 AM


“CALEA is a requirement on U.S. telecommunications carriers, not on individuals making and receiving phone calls.”

How long will it take to amend CALEA to apply to end-points? How long would it take for carriers to disallow encrypted calls on their network, just so they don’t have to be liable?

I think that once encrypted VoIP calls would become the norm rather than the exception, making CALEA ineffective, something will have to give. I don’t believe the powers that be will give up wiretapping that easily.

Don’t say it can’t happen. The clipper chip almost happened. If you don’t know or remember what that was, go to for a neat summary.

— Arik

Juergen July 28, 2005 1:29 AM

One open-source solution not mentioned yet: Cryptophone ( They’re selling a WinCE-based smartphone software that allows encrypted mobile calls, and also offer a freeware for desktop machines that can be used via modem.

Can’t really comment on how it works, though, as I don’t have a smartphone and the desktop version seems to have an aversion against my modem 🙁

Grainne July 28, 2005 5:50 AM

It reminds me of that rumour about google bringing out their own Voip service. As far as I know it’s been denied. But can you imagine – search for e.g. a new car and get motor companies (spamming/) ringing you to advertise their products.

Dave Howe July 28, 2005 6:52 AM

Well, pgpfone is the first to spring to mind – used to use that to talk to an australian friend, back in my days on dialup.

the SIP standard (used by one of the VoIP methods currently competing for domination) permits crypto negotiation, but it isn’t commonly implimented. There is a basic command line SIP phone on the winpt site, and XTen pro has a proprietary encyrption but its closed source/undocumented, so no way of knowing if its any good.

Skype. closed source, undocumented, by the guy who tried to make a profit selling other people’s music. nuff said.

almost any unencrypted, ip based phone can be used over a vpn. We have tested this principle using ms portrait, and it works just fine.

most of the problems associated with VoIP encryption are setup though, rather than technical – there isn’t a good directory service available, those that are don’t support encyrption (although you could layer SIP crypto on top of a SIP registrar session once call negotiation begins) and most of the VoIP protocols are hard to tunnel, being both udp based and not confined to a single port.

Underattack July 29, 2005 6:15 AM

A very common VoIP device, the Sipuar 2000, can already apply SSL encryption. was handing out free certificates for this device. If installed, encryption is enabled by dialing a specific prefix. Of course, both sides of the conversation have to support it. It works well with free SIP providers like FWD, but does not work with commercial once like Vonage.

Bruce C. July 29, 2005 4:43 PM

Many thanks to all for the pertinent and
informed discussion. Quite helpful.

Thanks Bruce S.

BOFH July 31, 2005 10:40 AM

From Skype’s KB:
“What type of encryption is used?

Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.”

Privatix August 2, 2005 12:55 PM

Its good to see that the encryption gurus are finally looking into this subject more seriously.

IMHO Skype is very clearly winning the VOIP race, in much the same way as Google won the race of search engines. The reasons are obvious :

  • its free (Skype to Skype)
  • platform/OS independent
  • completely anonymous sign-up
  • distributed P2P and therefore scalable and low latency
  • easy to set up
  • routable via SOCKS or HTTP VPNs and anonymizing proxy chains (like TOR or Cotse,Findnot,
  • PocketPC Version (-> gets you VOIP at WLAN hotspots on a small portable device !)
  • already a big community with hardware and API vendors (Skype ready DECT handsets, PBX routers etc,etc.)

All around the globe you can already find “Skype ready” stickers on hardware items like headsets and soundcards – just look around your local computer superstore. And what does that tell us ? Skype is already a de-facto standard and you can’t ignore it.

If only there was not this one big question mark about their implementation of encryption and other security issues. A good summary about these issues is Simon Garfinkels paper :
Also of interest might be

Unfortunately there can be no trust without published source codes or at least source code audits by a trusted party and that leaves a big gap for alternate solutions. Now who will be the maker for the not yet defined de-facto standard for OSPAS VOIP (open source privacy aware & secure VOIP) ? Phil Zimmermann already won that race for defining today’s dominant email encryption standard PGP. Will he take this award for VOIP as well ? Someone should compete :-).

Davi Ottenheimer August 2, 2005 4:51 PM

Now here’s someone that clearly has both technical and marketing talent…

Who wouldn’t want to have a diagnostic tool called “VOMIT” (Voice Over Misconfigured Internet Telephones) on their system? Yet another way to dump packets and then convert them to wav…

Davi Ottenheimer August 2, 2005 5:03 PM

@ Darin
Thanks for the pointer to SRTP. I found that Cisco acquired Sipura’s implementation this past April ( and there is an active SRTP site here:

“SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. It is an action item in the IETF Audio-Video Transport Working Group, where it is an Internet Draft and is currently in IETF WG last call.”

JP August 21, 2005 9:53 PM

Assuming that the “confidentiality bases” are covered…I would be greatly interested in hearing any comments on the other risks. SPAM, viruses, outages, VLAN hopping, ARP poisoning, spoofing, et al -do any of these warrant physical and logical separation of VoIP from data environments? Is anyone aware of any solution where security is addressed within the trunk of the IP Phone?

I am aware of only one source, Ofir Arkin (
,that argues why they should be isolated infrastructures. I would agree with the views presented and personally believe that security concerns are being greatly downplayed by “the forces” behind this whole VoIP push.

For most of us, we are all too familiar with the politics and resources required to secure our data environements. It would be great to get valid arguments for keeping them physically and logically separated.

Anonymous November 2, 2005 9:00 PM

Is there a free VoIP software which allows variable length encrytion keys? Like user can choose whether he/she wants a 128 bit, 256 bit etc.

prasad March 16, 2006 7:41 AM

Read almost all the Blogs. It certainly enlightens. But have we missed something –source encryption before quantisation.

How about using a real good stream cipher instead of tail twisting a Block cipher and increasing the complexity of whole process.

Speakfs is perhaps first secure Voice over internet with some desrving compression such as GSM type.

I still feel the problem is not given an academic view but a marketing one ,hence solutions are short lived .

Andrew May 11, 2006 1:55 AM

Am I missing something here?

Are we talking of a ‘coordinated’ approach to utilise a common encryption model as wouldn’t that otherwise be back to the problem of cannot encrypt if receiver cannot decrypt?

Andrew May 29, 2006 7:06 AM

Ok .. in the meantime I see that Zimmermann is submitting his work in an attempt to make it a public standard.

Assuming Skype don’t budge, that will still mean anyone with Zfone calling a Skype client will not have encryption.

cryptojonny October 16, 2007 7:58 AM

I myself am glad that phil is making and releasing a program that will piss the powers that be off. EAT MY DUST NSA!!!

Anonymous April 16, 2008 11:46 PM

zphone looks good in the beta but sadly it does not encrypt the protocol just the speech over it. and my isp throttles the voip protocol. so while it sounds great at the start it dies quickly. not to mention that a computer to computer voice communication between the two computers is still logged even if no body knows what was said.

Andaman April 21, 2020 7:16 AM

My question is how will this interface to traditional phones Andaman Holidays that have no en/decryption software? Apparently both parties need to have the software installed, which only helps those of us who decide to install it.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.