Posts Tagged zrtp

First Look at the Blackphone

Full disclosure: I am good friends with Phil Zimmermann, co-founder of Silent Circle.  He and I worked together for many years to publish his ZRTP media security protocol as an RFC in the IETF standards body. I also helped him with his Zfone Project.  I’m also friends with Jon Callas, Travis Cross, and others at Silent Circle, who collaborated with Geeksphone to produce the Blackphone.

Blackphone Logo



After tclueconhe Blackphone was announced back in February in Barcelona, I ordered one as soon as they started taking orders, and have pretty much just been killing time ever since then.  I even had a false alarm delivery the other week when I was at the IETF conference inToronto.  Another package with an address that had “Black” in it arrived, and I jumped to the conclusion that it was my Blackphone.  Instead, my Blackphone arrived the day I was in Chicago at ClueCon, on a Security Round Table panel with Phil and Travis.

Blackphone BoxBlackphone AccsessoriesMy first impressions are quite positive: the packaging is good, the phone is nice to hold in the hand.  If anything, it feels lighter than I expected.  And it is black.  Included accessories are USB cable, charger with US and European plugs, and a headset.

Upon powering it up, you are prompted to create a pin or password, then it prompts you to encrypt the phone, which takes about 10 minutes or so.Blackphone Phone Encryption

I’ve been using Silent Circle for a while now on my iPhone, so I recognized the Silent Phone and Silent Text apps.  Silent Contacts was new to me, as were the other pre-installed security apps.

Blackphone Pre-Installed AppsIt took me a little while to get Silent Phone and Text working.  I had forgotten that I had to look up the Product Keys to get the Silent Circle Ronin code to activate the service and create my account.  The Silent Circle apps are similar to those on my iPhone although the user interface is inscrutable.  Why does it show one grey dot when I’m calling then switch to three green dots when I’m connected and ZRTP has been authenticated?  What does “Secure to server” mean?  Hopefully this is an easy fix to the UI to make it understandable.

Next, I need to try out SpiderOak and Disconnect.Me.  Also, I haven’t put a SIM in yet.  My friend James Body has given me a fantastic Truphone travel SIM that I really could have used last month during all my travels…

Look for a future post on these topics.  As always, questions & comments most welcome.

, , , ,

1 Comment

How to Communicate Securely over the Internet

Today, I published a new Internet-Draft on how to securely communicate over the Internet using a new web technology known as WebRTC and the ZRTP protocol.  Using this technique, Internet users can determine if the National Security Agency, or anyone else, is listening in to their calls placed using a web browser.  There are already a number of commercial and open source products utilizing ZRTP, including Silent CircleJitsi, and others, but this new technique opens it up for all web users.

The WebRTC Book

For those of you not involved in the VoIP or video conferencing world, WebRTC, or Web Real-Time Communications, is a new standards effort to add real-time voice and video communications capabilities to web browsers.  This allows web developers to add voice and video communications with a few standard JavaScript calls.  All the pieces needed to communicate, including codecs and the ability to traverse NAT and firewalls, are built into the browser.  Today, WebRTC is available in the Chrome and Firefox browsers, and in Chrome for Android.  I’ve written a book on WebRTC if you want to learn more about it.

With WebRTC, all media flows are encrypted and authenticated using Secure RTP or SRTP.  Unfortunately, the keying method chosen for WebRTC is DTLS-SRTP or Datagram Transport Layer Security for Secure Real-time Transport Protocol.  DTLS-SRTP on its own does not provide protection against Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks.    Today, the news is full of reasons why Internet users need such protection.  We now know the surveillance of Internet users is widespread.

The ZRTP security protocol, published as RFC 6189 back in 2011,  was invented by Phil Zimmermann to allow Internet users to communicate securely and privately over the Internet.   ZRTP was not selected as the default keying method for WebRTC, despite it being the ideal candidate.

However, ZRTP can still be used to provide MitM protection for WebRTC sessions established using DTLS-SRTP.  As described in the new Internet-Draft written by myself, Phil Zimmermann, Jon Callas, Travis Cross, and John Yoakum, ZRTP can be implemented in JavaScript and run in both browsers over the WebRTC data channel.  The ZRTP exchange is used to compare the DTLS-SRTP fingerprints used to establish the media flows.  If the fingerprints match, and the ZRTP exchange is authenticated by the users comparing the Short Authentication Strings (SAS) displayed on each browser, the WebRTC media sessions are free of MitM attackers.

Jitsi Short Authentication String

How does this work?  You’ll have to read the ZRTP specification to find out exactly how, but in simple technical terms,  it is because ZRTP uses a technique known as a Diffie-Hellman key exchange augmented with a hash commitment.  This allows the SAS, which can be two words or four hex digits, to prove that a media session has no eavesdroppers present.

We have documented this usage of ZRTP with WebRTC in the Internet-Draft document draft-johnston-webrtc-zrtp.  Hopefully soon there will be some open source ZRTP JavaScript libraries freely available for web developers.

Everyone needs privacy in their communication, and WebRTC with ZRTP finaly provides a real solution to all Internet users.

, , , , , ,


ZRTP at WashU ACM Hackfest 2013

On Saturday, I gave a presentation and demo of ZRTP at Hackfest 2013, organized by the Washington University in St. Louis chapter of ACM (Association of Computing Machinery) .WashU ACM

A group of about 60 undergrads had gathered in Urbauer 211 to learn about hacking and try it out. I gave a short presentation about ZRTP, the media path keying protocol for SRTP invented by Phil Zimmermann.

I was fortunate to serve as the editor of the ZRTP specification, which was published as RFC 6189 two years ago. I showed how ZRTP allows users to detect the presence of a MitM (Man in the Middle) attacker by checking the Short Authentication String.

Here is a PDF of my presentation.

Jitsi ZRTP SAS Comparison User Interface

Then I used the Jitsi open source voice, video, & chat application to demo ZRTP. Emil Ivov, founder and chief developer at Jitsi answered my ZRTP call, and we checked the SAS. The sequence of steps used to secure the voice & video session is shown in this animated GIF.

Afterwards, I gave away a copy of Counting from Zero, my technothriller that incorporates elements of ZRTP, hacking, exploits, and zero-day attacks.

We then spent the rest of the afternoon playing with Metasploit on an isolated network of virtual Windows machines. It was an interesting day.  Just like at IETF meetings, the biggest excitement of the afternoon was when the cookies arrived!

Perhaps at next year’s session, we can try out VoIP hacking tools such as SIPvicious!

Counting from Zero Book

, , , , , , ,

Leave a comment

My Year – 2011

As 2011 draws to a close, I wanted to take a moment to thank everyone who has helped me this year. It has been an amazing year! Here’s a short list of my highlights:

– In January I gave a SIP Tutorial for the FCC staff in DC. It was a great event, and hopefully I will get another chance to do it again in 2012. The FCC has lots of VoIP and SIP work to do with the transition of the PSTN and E911 to all VoIP. Hopefully we can soon end the ridiculous subsidies for rural telephone service and instead use them to subsidized high speed Internet service for rural areas.  My friend Henning Schulzrinne was just appointed Chief Technology Officer, so I know the FCC is in good hands technically.  I also enjoyed giving the SIP Tutorial in Miami, Sydney, and Austin.

– In February I published my first novel, a Techno thriller about a massive attack on the Internet that gives this blog its name – Counting from Zero. Little did I know how much hacking and security stories there would be in 2011. Some have even called 2011 the Year of the Hactivist, which is hard to argue with. Overall, I couldn’t be happier with the response to the book. Thank you do much to anyone who has read, reviewed, tweeted, or blogged about it – I am very grateful. Look for more book news in early 2012…

– In February I also started blogging and using Twitter. It has been a lot of fun! Thanks to everyone who has read my blog posts or followed me on Twitter.

– In March I participated in my first robotics competition. The experience was amazing, and I look forward to the start of another build season in just over a week!

– In April, the ZRTP VoIP media security protocol was published as an RFC by the IETF, after 6 years of hard work.  Editing this document is my small contribution to making the Internet more secure.  Here’s to more adoption and deployment in 2012.

– In May the RTCWEB Working Group was chartered by the IETF. The work is progressing slowly but steadily. I expect more progress in 2012, and hope for some strong security to be built into the protocols – lets show that we have learned something over the years…

– In June, I participated in the first ever SIP Network Operators Conference or SIPNOC for short. It was a great success and really shows how SIP has grown up. I am privaleged to have another term on the Board of Directors of the SIP Forum. With the publication of SIPconnect the SIP Trunking recommendation, the business use of SIP continues to grow and expand.

– In November, I has my first experience as a cricket coach. My son started the Priory Amateur Cricket Association or PACA as a club at his school. It has been a blast so far helping the boys learn the basics of cricket. They have done a great job, although we need to reduce the number of no balls! In 2012 we plan to play a one day match against a local cricket club.

So, here’s to 2011 – it was definitely an interesting year!  I hope it was a good one for you and yours.  Here’s to 2012!

, , , , , ,

Leave a comment

Explaining Security

I spent all last week in Austin, Texas at the Internet Telephony Expo, ITEXPO conference.  In addition to giving the SIP and RTCWEB Tutorial and having a board meeting of the SIP Forum, I moderated a security panel at the 4th Generation Wireless Evolution 4GWE conference.  It was a great panel, with Patricia Steadman, CEO of Telesecret,a company founded by Phil Zimmermann to commercialize the ZRTP media security protocol, and a good friend and former colleague from Avaya, Andy Zmolek from LG Electronics.

As I enjoyed the cool and damp weather back in St. Louis (the opposite end of the weather spectrum from last week!), I was elated to discover that my novel “Counting from Zero” was ranked #12 on Amazon’s Computer Network Security sales list! (Of course, this ranking changes minute-by-minute, so it might very well be ranked a bit lower when you read this.)  I mark this as yet another milestone with this book, my first attempt at fiction.  To have it doing so well in a ranking filled with security text books is very exciting!

I was also thrilled to see two other books I greatly admire ranked just above me at #7 and #9:  The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin Mitnick and William Simon:  I use both these books as references in my book.  I was thinking of Kevin all last week during my travels as I finished reading his newly released memoir Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.  It was an amazing read, and I highly recommend it.  Maybe I’ll post a full review here one day soon.

My original goal with “Counting from Zero” was to teach the fundamentals of computer and Internet security, but to do it in a non-traditional way.  I had written one other book on security, “Understanding Voice over IP Security”.  Its sales have not been great, compared to some of my other SIP and VoIP books.  One reason is perhaps that security books tend to be dry, and a little theoretical, not well-connected with real life.  In “Counting from Zero” I tried to invent a plot that would not only teach security, but help motivate it.  I set out to create a character, Mick O’Malley, who would initially seem over-the-top in his security, but have the subsequent action and events make him seem more normal, and the rest of us who barely give security a thought the strange ones.

I have greatly enjoyed the reviews of the book, and those complementing my characters, writing, plot, etc.  But I enjoy hearing the most that a reader learned something from the book.

If you have an interest in Internet or computer network security, my book will help explain some basic concepts and help motivate the topic.  If you have ready my book (thank you!) and learned something useful from it (fantastic!), I’d love to hear from you…

, , , , , , , , ,

Leave a comment

ZRTP Published Today as RFC 6189

Today ZRTP was published by the IETF as RFC 6189. This is a big deal to me for a number of reasons. Let me explain.

RFCs or Request For Comments are the publications about how the technical details of how Internet works. They go all the way back to the earliest days of the ARPANET, used to share information among a small group of researchers. RFCs are published by the RFC Editor and cover Internet fundamentals such as TCP, IP, and SMTP. My first RFC was one for Session Initiation Protocol or  SIP which was published as RFC 3261. Since then, I have published 14 others, but I’m most proud of this one.

ZRTP is a security protocol for providing privacy for VoIP calls over the Internet. It was invented by Phil Zimmermann, who invented PGP (Pretty Good Privacy) for email encryption in the 90’s. When I met him in 2005, he had an idea how to encrypt voice calls and some very rough prototype code. I helped him turn it into a protocol, and wrote the outline of the document that was published today.  I’ve been the editor of this document for the past 5 years.

I think ZRTP is the best way to secure voice and video over the Internet. The reasons are a bit technical, but perhaps I’ll attempt explain why in another post. In the meantime, Phil Zimmermann’s Zfone Project web page has some good points in it.

Oh, and there is one other reason why I’m proud of this document – I came up with the name ZRTP. RTP stands for Real-time Transport Protocol. And of course, Z stands for Phil!   It was a joke at first, but it kind of stuck.

ZRTP even makes an appearance in my techno thriller novel, Counting from Zero. The protagonist, Mick O’Malley uses ZRTP to ensure that all his voice and video communication is private, thwarting those who would like to wire tap his communications.

It has been a lot of work getting this RFC published, and I’m quite proud of the work. And over the years, I’ve become good friends with Phil, which is a real bonus.

Today I’m going to have a mini celebration – happy first birthday ZRTP, RFC 6189!

, , , , , ,