Issue No. 06 - November/December (2006 vol. 10)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MIC.2006.139
Phil Zimmermann, inventor of the email encryption application Pretty Good Privacy (PGP), was a lightning rod for the debate over user rights to data security throughout the 1990s. Zimmermann originally designed PGP as a human rights tool, but the US government investigated him for three years on the grounds that posting PGP on a domestic Usenet site might have broken encryption export law; it eventually dropped the case in 1996.
Ten years later, Zimmermann is once again at the forefront of the latest communications technology and its security implications. In July 2006, Zimmermann released the beta version of his latest brainchild, Zfone ( http://zfoneproject.com/ index.html), a voice-over-IP (VoIP) peer-to-peer (P2P) encryption application. Zimmermann, whose activist credentials extend beyond PGP to the effort to freeze nuclear weapons in the 1980s, acknowledges that the world since the attacks of September 11, 2001 is far different from the one into which he released PGP, but as the underlying telecommunications infrastructure converts from the public switched telephone network (PSTN) to VoIP networks, the implications for secure communications are no less critical.
Indeed, he says, the old assumptions about who might be tapping voice communications need to be discarded. No longer will the network's physical properties limit wiretaps to clandestine alligator-clip jobs near a specific exchange, a phone company switch, or an international border. The underlying threat model to VoIP networks mirrors that of the threat to packet-based data networks — once an attacker gains access to a voice stream, a compromised node can be wiretapped with a mouse point and a click from anywhere in the world.
So, rather than appeal to activists concerned about governments over-stepping their mandates as he did with PGP, Zimmermann says Zfone will be positioned to appeal to businesses that deploy VoIP networks and anyone afraid of what might happen in a hacked network, as well as to intelligence agents in deep cover who must have secure encrypted communications. In fact, Zimmermann and two colleagues have submitted an Internet draft to the IETF describing Zfone's key-and-session management methods. Although Zimmermann says widespread market adoption of Zfone shouldn't depend on the technology's elevation to request for comment (RFC) status, such a move could cement the technology in risk-averse industries and government deployments as well as with early adopters.
The great unknown presently is whether US policymakers who champion expanded wiretapping capabilities might attack Zimmermann's invention as enabling terrorists to use encryption as they did PGP. Regardless of how Zfone itself plays in the public discussion, Zimmermann and other industry figures say the technological and policy implications of VoIP security need to gain wider dissemination sooner rather than later.
VoIP Technology's Many Flavors
"There are all kinds of VoIP security scenarios," says David Endler, chairman of the VoIP Security Alliance (VoIPSA; www.voipsa.org). "There are carrier and provider security issues, there's enterprise security and consumer security. We're also starting to see VoIP bleeding into other technologies like instant messaging and Web services. To address all the issues, it has to be a team effort. Once a VoIP call leaves the confines of either your home or enterprise, it ceases to be a problem of your vendor; it becomes a provider issue — so one party can't work on security by itself."
Victoria Fodale, program manager and network security analyst for research firm In-Stat, says that not only should the issue of VoIP security be considered multidimensional but so should what VoIP itself means.
"When you talk about VoIP, what flavor are you talking about? There's IP-PBX [Internet Protocol private branch exchange] equipment, collaboration and conferencing products, IM [instant messaging] clients with voice capabilities, broadband voice services, and peer-to-peer telephony. On this laundry list, P2P is actually toward the bottom of the list."
Fodale says that, as VoIP technology bleeds outward, and as the barrier between home and work erodes further, the VoIP security equation will have to keep step with dual consumer-enterprise needs as well as public policy concerns.
"We see a lot of things in business that start in the consumer world," she says. "Social networking applications, wikis, and similar technologies start in the consumer world and are pushed to business. VoIP is kind of a gray area. Your solutions have to be robust enough to fit multiple scenarios. It's not an either-or; our jobs carry over to home, home carries over to jobs, and technology is going to need to be flexible."
Convenience and Security Must Coexist
From both economic and convenience standpoints, Fodale and Endler say that some of the existing VoIP security measures might not measure up to their conceptual strengths. Existing enterprise-class technologies are often time consuming to set up and tear down, and the most popular P2P telephony technology — Skype, which claims to be secure — is both proprietary and incompatible with many enterprise network policies.
"The biggest barrier to enabling encryption today is the overhead of maintaining a public-key infrastructure," Endler says. "You have to take great strides to install certificates on everyone's phone, then there's the headache of revoking somebody's credentials if they leave — and that's just for encryption."
As for Skype, Fodale says "Skype is a problem in a business network for a lot of reasons. One, it's a port seeker, and it drives the network guys crazy. There's an emerging equipment and solutions segment built around Skype-blocking. Since Skype's all over the place, you can't just block off x port and it's solved. And, in particular industries such as healthcare and finance, where people are security conscious for compliance reasons, they need policy controls, they need to be able to log traffic. So Skype is a problem."
Both Fodale and Endler have seen Zfone's early iterations, and believe Zimmermann has devised an application that could bridge the consumer-enterprise gap. Zfone is a P2P technology compatible with multiple VoIP client applications and doesn't rely on public-key infrastructure. The users on each end of a Zfone-enabled call establish the call's security by reading and comparing a short authentication string. In addition, the keys are destroyed at the end of the call, which precludes retroactively compromising the call by future disclosures of key material.
Although Zimmermann has yet to negotiate a deal with vendors of analog telephone adapter equipment, which could comprise the bulk of the market in the first stages of the PSTN-to-VoIP conversion, a complex legal element might encourage VoIP carriers to encourage their customers to use Zfone.
Will Law Drive the Market?
The legal element in question is the Communications Assistance for Law Enforcement Act of 1994 (CALEA), which mandates that carriers provide access for law enforcement agencies to conduct electronic surveillance of common carrier communications networks. The US Federal Communications Commission (FCC) has decided that CALEA also pertains to broadband Internet and VoIP networks as well as PSTN circuits ( www.askcalea.net/ docs/20060503_2nd-memorandum .pdf).
According to the FCC, by 14 May 2007, CALEA will "apply to all facilities-based broadband Internet access and interconnected VoIP providers." However, the carriers are expected to shoulder the costs of making their networks CALEA-compliant themselves, and the FCC order was written broadly enough that many carriers have expressed dismay over the lack of technical guidance and the potential to have to add more back doors — hardware and software that offers no revenue potential — every time they expand their infrastructure.
VoIPSA's Endler says the very nature of packet-based communications might make the expensive CALEA provisions moot given the Internet's global architecture.
"The infrastructure in which the PSTN routes calls has a definite geophysical architecture," he says. "If you want to look at data from a PSTN-carried call, you know exactly where it originated because of the path it took. But something like Skype comes from the P2P model, and that's not as clear cut. A call can originate in the US, travel outside, and come back in. The Internet doesn't have any geographic boundaries, so that will be interesting to see how that plays out."
On the other hand, the definition of "facilities-based" might extend all the way down to provider-equipped residential broadband data/voice modems, which would undoubtedly add more cost and complexity to the industry's CALEA compliance mandate. Zfone, on the other hand, being an end-user controlled technology, might be exempt from CALEA.
On his Web site, Zimmermann says:
"I'm not a lawyer, but it's my understanding that the Communications Assistance for Law Enforcement Act applies to the PSTN phone companies and VoIP service providers, such as Vonage… [Zfone] does all its key management in a peer-to-peer manner, so the service provider does not have access to any of the keys. Only the end users are involved in the key negotiation. CALEA does not apply to end users."
Parsing the legal as well as the technological issues will become critical fairly soon for a wider variety of enterprises. According to In-Stat data from the first quarter of 2006, VoIP technology cracked the 50 percent barrier in businesses with 500 to 999 employees in multiple areas: IP-PBX, broadband voice and collaboration applications, and P2P. Even a third of the largest businesses surveyed had deployed some P2P telephony somewhere in their organization. In-Stat analyst Fodale says stakeholders across the board must begin a concerted education campaign to bring the full complexity of VoIP security to light.
"You need to broaden the discussion," she says. "We need to be looking at use cases — does this serve more than the niche looking to keep their communications from government surveillance? You can say that there is definitely a need for this technology for people working in areas where they cannot trust the communications infrastructure — but I think this is much broader — and I hope the discussion gets larger."