Monday, May 22, 2006

Voice Encryption May Draw U.S. Scrutiny - New York Times Philip R. Zimmermann wants to protect online privacy. Who could object to that? He has found out once already. Trained as a computer scientist, he developed a program in 1991 called Pretty Good Privacy, or PGP, for scrambling and unscrambling e-mail messages. It won a following among privacy rights advocates and human rights groups working overseas -- and a three-year federal criminal investigation into whether he had violated export restrictions on cryptographic software. The case was dropped in 1996, and Mr. Zimmermann, who lives in Menlo Park, Calif., started PGP Inc. to sell his software commercially. Now he is again inviting government scrutiny. On Sunday, he released a free Windows software program, Zfone, that encrypts a computer-to-computer voice conversation so both parties can be confident that no one is listening in. It became available earlier this year to Macintosh and Linux users of the system known as voice-over-Internet protocol, or VoIP. What sets Zfone apart from comparable systems is that it does not require a web of computers to hold the keys, or long numbers, used in most encryption schemes. Instead, it performs the key exchange inside the digital voice channel while the call is being set up, so no third party has the keys. Zfone's introduction comes as reports continue to emerge about the government's electronic surveillance efforts. A lawsuit by the Electronic Frontier Foundation, a privacy rights group, contends that AT&T has given the National Security Agency real-time access to Internet communications. 5:05:33 PM

Secure Voice over IP: Zfone by Phil Zimmerman 21 May 2006 - I've just released a new public beta for Zfone, a new product that takes a new approach to make a secure telephone for the Internet. Zfone lets you whisper in someone's ear, even if their ear is a thousand miles away. Zfone uses a new protocol called ZRTP, which is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another ZRTP client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors. How to get the Zfone Public Beta (Yes, we've got Windows!) Yes, we finally have a  Windows XP version , as well as a new Mac OS X and Linux version. To get your hands on the Zfone public beta software, click here: Get Started with Zfone Now! In keeping with the long-standing PGP tradition, the source code is also available to download for peer review. 5:05:03 PM

Government to force handover of encryption keys - ZDNet UK News Businesses and individuals may soon have to release their encryption keys to the police or face imprisonment, when Part 3 of the RIP Act comes into effect   The UK Government is preparing to give the police the authority to force organisations and individuals to disclose encryption keys, a move which has outraged some security and civil rights experts. The powers are contained within Part 3 of the Regulation of Investigatory Powers Act (RIPA). RIPA was introduced in 2000, but the government has held back from bringing Part 3 into effect. Now, more than five years after the original act was passed, the Home Office is seeking to exercise the powers within Part Three of RIPA. Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. "The use of encryption is... proliferating," Liam Byrne, Home Office minister of state told Parliament last week. "Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force." Part 3 of RIPA gives the police powers to order the disclosure of encryption keys, or force suspects to decrypt encrypted data. Anyone who refuses to hand over a key to the police would face up to two years' imprisonment. Under current anti-terrorism legislation, terrorist suspects now face up to five years for withholding keys. If Part 3 is passed, financial institutions could be compelled to give up the encryption keys they use for banking transactions, experts have warned.   "The controversy here [lies in] seizing keys, not in forcing people to decrypt. The power to seize encryption keys is spooking big business," Cambridge University security expert Richard Clayton told ZDNet UK on Wednesday. 12:30:02 PM

Zero Configuration VPN Clients for Mobile Users. Zero Configuration VPN Clients for Mobile Users. In this paper, Michael Underwood examines three VPN services that are designed to be used at wireless hotspot for either SOHO (small office/home office) or small business users. By Michael Underwood. [Infosec Writers Latest Security Papers] 12:21:48 PM

© Copyright 2006 Paul Hardwick. Last update: 6/8/06; 11:15:51 AM.