RE: Phil Zimmerman and voice encryption; a Skype problem?
Hi Paul, You left out one option: that Tony Rutkowski was misquoted by the Times. I checked with Tony, and this is, in fact, what happened. Here is his full response: Since the external security lists seem to be buzzing with discourse about Phil Zimmerman's VoIP encryption product as covered by John Markoff in the NY times on Monday, and my quote about German capabilities to decrypt, let me explain the context and what was actually said. John (who I've known for several decades) called my cellphone Sunday morning and said he was writing an article on Zimmerman's software and his making it available, and asked from a CALEA standpoint, whether this was covered. I explained that the recent FCC CALEA orders on VoIP presently exempted P2P VoIP, so that Zimmerman's product was outside the requirements. In multiple roles, including formal filings and legal forums, I deal with this subject all the time. I also mentioned, however, that CALEA requirements exist worldwide, and that German officials at a recent Cyprus standards conference on lawful interception had stated that they have a Skype solution. I explained to John that most other countries have far more extensive CALEA like requirements, and that Germany among others were likely to impose their solutions. In the article that was published, my domestic coverage explanation was attributed to someone else, and my German solution explanation was morphed into a statement that they can decrypt Skype content. The context of the actual discussion, however, was regulatory requirements. Whether the German government can or cannot decrypt Skype content is not known, and indeed the details of their regulatory requirements are also unknown. --tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Hoffman Sent: Monday, May 22, 2006 8:19 AM To: Steven M. Bellovin; cryptography@metzdowd.com Subject: Re: Phil Zimmerman and voice encryption; a Skype problem? At 10:19 AM -0400 5/22/06, Steven M. Bellovin wrote: There's an article in today's NY Times (for subscribers, it's at http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1oref=s login ) on whether Phil Zimmerman's Zfone -- an encrypted VoIP package -- will invite government scrutiny. There doesn't seem to be any imminent threat in the U.S.; the one concrete example mentioned -- the British plan to give police the power to compel individuals to disclose keys -- doesn't threaten Zfone, because it uses Diffie-Hellman for (among other things) perfect forward secrecy and doesn't even have any long-term keys. (See draft-zimmermann-avt-zrtp-01.txt for protocol details.) The fascinating thing, though, was this sentence near the end of the article: But at a conference last week in Cyprus, German officials said they had technology for intercepting and decrypting Skype phone calls, according to Anthony M. Rutkowski, vice president for regulatory affairs and standards for VeriSign, a company that offers security for Internet and phone operations. The Berson report says that Skype uses AES-256. NSA rates that as suitable for Top Secret traffic, so it's presumably not the cipher. Berson analyzed a number of other possible attack scenarios; the only one that seems to be possible is an active attack plus forged certificates. If Berson's analysis was correct -- and we all know how hard it is to verify cryptographic protocols -- that leaves open the possibility of a protocol change that implemented some sort of Clipper-like functionality. Please don't forget that the VeriSign spokesperson may be mistaken, or purposely lying (possibly in order to drum up business for the company). Neither would be a first for VeriSign. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Phil Zimmerman and voice encryption; a Skype problem?
There's an article in today's NY Times (for subscribers, it's at http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1oref=slogin ) on whether Phil Zimmerman's Zfone -- an encrypted VoIP package -- will invite government scrutiny. There doesn't seem to be any imminent threat in the U.S.; the one concrete example mentioned -- the British plan to give police the power to compel individuals to disclose keys -- doesn't threaten Zfone, because it uses Diffie-Hellman for (among other things) perfect forward secrecy and doesn't even have any long-term keys. (See draft-zimmermann-avt-zrtp-01.txt for protocol details.) The fascinating thing, though, was this sentence near the end of the article: But at a conference last week in Cyprus, German officials said they had technology for intercepting and decrypting Skype phone calls, according to Anthony M. Rutkowski, vice president for regulatory affairs and standards for VeriSign, a company that offers security for Internet and phone operations. The Berson report says that Skype uses AES-256. NSA rates that as suitable for Top Secret traffic, so it's presumably not the cipher. Berson analyzed a number of other possible attack scenarios; the only one that seems to be possible is an active attack plus forged certificates. If Berson's analysis was correct -- and we all know how hard it is to verify cryptographic protocols -- that leaves open the possibility of a protocol change that implemented some sort of Clipper-like functionality. A silent change like that would be *very* ominous. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Phil Zimmerman and voice encryption; a Skype problem?
At 10:19 AM -0400 5/22/06, Steven M. Bellovin wrote: There's an article in today's NY Times (for subscribers, it's at http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1oref=slogin ) on whether Phil Zimmerman's Zfone -- an encrypted VoIP package -- will invite government scrutiny. There doesn't seem to be any imminent threat in the U.S.; the one concrete example mentioned -- the British plan to give police the power to compel individuals to disclose keys -- doesn't threaten Zfone, because it uses Diffie-Hellman for (among other things) perfect forward secrecy and doesn't even have any long-term keys. (See draft-zimmermann-avt-zrtp-01.txt for protocol details.) The fascinating thing, though, was this sentence near the end of the article: But at a conference last week in Cyprus, German officials said they had technology for intercepting and decrypting Skype phone calls, according to Anthony M. Rutkowski, vice president for regulatory affairs and standards for VeriSign, a company that offers security for Internet and phone operations. The Berson report says that Skype uses AES-256. NSA rates that as suitable for Top Secret traffic, so it's presumably not the cipher. Berson analyzed a number of other possible attack scenarios; the only one that seems to be possible is an active attack plus forged certificates. If Berson's analysis was correct -- and we all know how hard it is to verify cryptographic protocols -- that leaves open the possibility of a protocol change that implemented some sort of Clipper-like functionality. Please don't forget that the VeriSign spokesperson may be mistaken, or purposely lying (possibly in order to drum up business for the company). Neither would be a first for VeriSign. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Phil Zimmerman and voice encryption; a Skype problem?
Steven M. Bellovin writes: -+-- | .. -- that leaves open the possibility of a | protocol change that implemented some sort of Clipper-like functionality. | A silent change like that would be *very* ominous. | I'm reminded of Adi Shamir's 2004 Turing Award Lecture * Absolutely secure systems do not exist * To halve your vulnerability, you have to double your expenditure * Cryptography is typically bypassed, not penetrated --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
