Zfone is a new secure VoIP phone software product which lets you make secure encrypted phone calls over the Internet. It lets you whisper in someone's ear from a thousand miles away.
a private conversation
any time you want
with anyone, anywhere —
without buying a plane ticket.
The ZRTP protocol used by Zfone will soon be integrated into many standalone secure VoIP clients, but today we have a software product that lets you turn your existing VoIP client into a secure phone. The current Zfone software runs in the Internet protocol stack on any Windows XP, Vista, Mac OS X, or Linux PC, and intercepts and filters all the VoIP packets as they go in and out of the machine, and secures the call on the fly. You can use a variety of different software VoIP clients to make a VoIP call. The Zfone software detects when the call starts, and initiates a cryptographic key agreement between the two parties, and then proceeds to encrypt and decrypt the voice packets on the fly. It has its own little separate GUI, telling the user if the call is secure. It's as if Zfone were a "bump on the wire", sitting between the VoIP client and the Internet. Think of it as a software bump-on-the-wire, or a bump in the protocol stack.
Zfone is also available as an SDK to allow VoIP product vendors to integrate encryption into their products.
The ZRTP protocol has some nice cryptographic features lacking in many other approaches to VoIP encryption. Although it uses a public key algorithm, it avoids the complexity of a public key infrastructure (PKI). In fact, it does not use persistent public keys at all. It uses ephemeral Diffie-Hellman with hash commitment, and allows the detection of man-in-the-middle (MiTM) attacks by displaying a short authentication string for the users to verbally compare over the phone. It has perfect forward secrecy, meaning the keys are destroyed at the end of the call, which precludes retroactively compromising the call by future disclosures of key material. But even if the users are too lazy to bother with short authentication strings, we still get fairly decent authentication against a MiTM attack, based on a form of key continuity. It does this by caching some key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. All this is done without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. And it supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.
There are good reasons why ZRTP does not rely on a PKI approach. There are major problems and complexities with building, maintaining, and relying on PKI. That's why in the 1990s, a number of companies died trying to build and market PKI technology. See Ellison and Schneier's paper Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure and Ellison's paper Improvements on Conventional PKI Wisdom.
A public beta release of the Zfone software is available for download for Windows XP, Vista, Mac OS X, or Linux.
Zfone runs on Windows XP and Vista, both 32-bit and 64-bit versions. Zfone will encrypt audio and video for Apple iChat calls on Mac OS X. Zfone has been tested with these VoIP clients: X-Lite, Gizmo (audio, no video yet), XMeeting, Google Talk VoIP client, Yahoo Messenger's VoIP client (for audio), Magic Jack, and SJphone. It does not work with Skype.
Questions? Check out our Frequently Asked Questions.
"Zfone", "libZRTP", and "whisper in someone's ear from a thousand miles away" are all trademarks of Philip Zimmermann.