Lesson to be learned ?

Phil Zimmermann quietly released a reference application of his new cryptographic protocol ZRTP aimed at bringing privacy to VoIP conversations.

Zfone lets you whisper in someone’s ear, even if their ear is a thousand miles away. I think it’s better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream.

Beyond the point of certification authorities’ less than adequate certification procedures, it is rare when a user care to manage a secure list of accountable authorities in their clients. Today use of asymmetric cryptography in conjunction with PKI or trust models implies many risks and inconveniences, part of which is rooted in the necessity to securely managing private keys.

Zimmerman assumes that trust needs to be continuously renewed and updated between two parties in a conversation. Hence the ephemeral and point to point nature of his secure application. By decreasing the need for long term storage of sensible key material, it increases the overall security of the conversation. At the same time, I believe this is only solving part of the issue, as Bruce Schneier points out

No amount of IP telephony encryption can prevent a Trojan or worm on your computer — or just a hacker who managed to get access to your machine — from eavesdropping on your phone calls, just as no amount of SSL or e-mail encryption can prevent a Trojan on your computer from eavesdropping — or even modifying — your data.

So, as always, it boils down to this: We need secure computers and secure operating systems even more than we need secure transmission.

This is putting in better words than mine the objection I have to extend the JEP-0116 Encrypted sessions beyond online conversations. Will the XMPP community learn the lesson from these experts’ experience?

Technorati Tags: XMPP, Jabber, Security, Trust, Antecipate