Does Phil Zimmermann need a clue on VoIP?
Updated: 8/5/2005 @ 4:06 am Phil Zimmermann of PGP fame, a legend in the cryptography world, was cooking up a new secure VoIP brew at last week's Black Hat conference--but could he be just a little bit out of touch? As much as I respect the man's intellectual prowess and his contribution to the field of cryptography, I don't think I can say the same about his product design skills. Product design and product marketing is less about intellectual prowess than understanding the needs of the average human user. When I read about Zimmermann's recent VoIP demonstration at Black Hat, it made me doubt his product design skills even more.
Phil Zimmermann criticizes existing VoIP cryptographic solutions for relying on PKI. Given the fact that Zimmermann's PGP technology has always been an alternative to PKI based technologies, one can expect a bit of a natural bias against PKI-based solutions. Just about every other PKI-alternative cryptography company has gone as far as declaring PKI dead even tough PKI has been thriving for the last decade with E-Commerce leading the charge in a massive global PKI implementation. I've personally designed and deployed many PKI solutions for large corporations for all sorts of security applications ranging from remote VPN access to wireless LAN security, and I can attest that the technology is simple, scalable, and reliable. It's an undeniable fact that any solution that promises to bypass PKI always end up being more trouble than it's worth.
One of the biggest recent successes in VoIP or any application class is the phenomenon of Skype. Skype has managed to gain more users in a single year than all of the other VoIP software solutions put together; at last count, there were about 145 million downloads of Skype. Millions of people use it every day without even knowing that they are using PKI technology with 1024-bit 1536 or 2048-bit [Updated 8/5/05 1:44PM] RSA keys for secure authentication and 256-bit military grade AES encryption. While other vendors talk the talk about cryptography and how nice it would be if only people would use it, Skype actually deployed the biggest secure VoIP communications scheme ever using a seamless PKI implementation. Most people just never knew it because Skype spent less time talking about it than implementing it. Looking at Zimmermann's PKI-less VoIP cryptography scheme, I doubt it will be as seamless a solution.
On the connectivity side, Zimmermann's demonstration at Black Hat showed why Skype still reigns supreme over everyone else. As a matter of fact, Zimmermann's demo almost never left the ground because of router traversal problems. While firewall and router traversal problems aren't uncommon among most VoIP solutions, it is one of the biggest impediments (next to inadequate or missing microphones on the modern personal computer) to the success of VoIP. The reason Skype exploded onto the scene was that they alone understood that the average computer user is in no mood to mess with firewall rules, port triggers, and NAT traversal problems and probably doesn't even know or care what I'm talking about. Skype wrapped their entire VoIP payload into a simple firewall- and NAT-friendly packet and used the power of peer-to-peer technology to make Skype work under any environment. All the complexity is hidden under the hood and even grandma can now use PC telephony.
Skype has set the gold standard for ease-of-use and seamless security. Any VoIP solution from this point forward that fails to meet this standard will be dead on arrival. Although it may be too early to tell how Zimmermann's solution will fare in the end, it certainly doesn't appear to be off to a good start. Maybe I'm being a bit harsh on a solution that is still a work in progress or maybe Zimmerman thinks I'm way off base. Phil if you're reading this and you want to tell me I'm wrong and why, I'll be more than happy to post your reply. [Editor's note: Phil Zimmerman's reply.]