April 13, 2006

A first look at Zfone

Author: Nathan Willis

Zfone is PGP creator Phil Zimmermann's latest brainchild, a small desktop application that encrypts VoIP softphone conversations using strong encryption and peer-to-peer communication. Zimmermann released the first public beta last month. While I'm intrigued by the concept, getting the application to work is another story.

Zfone runs as a standalone app, outside of your VoIP client. To use it, you must use a Session Initiation Protocol (SIP) softphone that allows you to specify the port settings in accordance with Zfone's documentation. Zfone encrypts the Real-time Transport Protocol (RTP) stream (which carries the audio packets), not the SIP channel that does call setup and teardown.

Neither party in a call needs a persistent "key" as is used in the PGP email security model, and there is no public key infrastructure. Instead, when Zfone clients connect, they perform a Diffie-Hellman key exchange using Zimmermann's ZRTP protocol (an extension to RTP), creating a "shared secret."

The shared secret is then used to establish a Secure RTP (RFC 3711) channel over which communication takes places. The parties can verbally check a short verification code computed by Zfone; if they both see the same code, then the call has not been intercepted. When the call is terminated, the keys are destroyed.

Zimmermann has submitted a draft proposal to the Internet Engineering Task Force (IETF) for ZRTP, and cites Zfone as a reference implementation.

Acquiring and testing the beta

The Zfone public beta is available as a binary for Mac OS X and as a source code package for Linux. Zimmermann claims a Windows release will follow soon. To download the software, you must enter an email address and wait for an autoresponder to mail you a temporary download link. Following that, you must read and agree to Zimmermann's license terms before downloading the package.

The license is quite restrictive; it prohibits licensees from (among other things) redistributing the source or binaries themselves and from publicly disclosing any security flaws without first informing Zimmermann. His stated reasoning for these terms is that he is soliciting "peer review" on the system only for the time being.

The README included with the Linux tarball indicates that some of the code used is from the open source project libSRTP and Brian Gladman's AES, but the package as a whole is certainly neither open source nor free software.

Compiling Zfone from source can be tricky, which makes the non-redistribution clause in the license both baffling and inconvenient. You must have ipqueue and iptables support built into your kernel -- meaning a kernel rebuild might be necessary -- and must compile multiple support libraries in addition to the Zfone binary. These support libraries are provided in the Zfone package.

As of this first public release, there is little to say about the Zfone client itself. I could not get the Linux package to compile, and the Mac client was extremely picky to work with, flaky on maintaining connections, and opaque with its error messages. My emails to Zimmermann were not returned in time for publication.

Of course, none of that speaks at all to the value of the protocol, and it is clear that at this stage Zimmermann is more concerned with that than with the implementation. Several stories in the media about Zfone's launch suggest that Zimmermann is seeking venture capital to turn Zfone into a commercial product. When compared with possibility that ZRTP will become a formal public standard, the future of Zfone itself is clearly of the lesser importance to free software projects.

The importance of the ZRTP draft spec

The current IETF draft document is dated March 5 and was co-authored by Zimmermann, Alan Johnston (co-creator of SIP), and Jon Callas (of PGP Corp.). Cryptographers will no doubt have more to digest in it than casual users, but the salient points are that ZRTP prevents "man in the middle" attacks (including electronic wiretapping), is completely self-contained, decentralized, and -- by using ephemeral keys -- secures each call in isolation.

The last three points mark substantial improvements over the PKI model used by PGP. With ZTRP, there's no worrying about forgetting your pass phrase, keeping your private key safe from compromise, or the hassles of creating, distributing, and signing a new key. Reliance on a PKI is the millstone tied around the neck of PGP; users find it both arduous and (at times) confusing. Is it any wonder that after more than a decade of free implementations, patents passing into the public domain, and relaxed United States export laws, almost all email is still transmitted in the clear?

The Zfone app demonstrates that it is possible to add a secure layer to VoIP without requiring any additional support from hardware vendors, SIP providers, or network operators. The idea of implementing ZRTP directly in a softphone client has popped up on the OpenWengo mailing list, but it is great to see that it will be usable even with closed-source softphones such as Gizmo.

And since ZRTP is designed to stay out of the way if either party to the call lacks support for it, providing support for it does not corral users into an encrypted-only ghetto, able to talk only to each other.

Zimmermann may be in the process of turning Zfone into a commercial product -- perhaps targeting hardware manufacturers instead of individual desktop users. Even if he does so, and pulls all free versions of the app, by proposing ZRTP as an IETF standard he is opening the door for free software developers to secure VoIP communication while it is still in its infancy. If we wait too long to do so, as with email, before we know it it will be too late.


  • Security
Click Here!