SAN JUAN, Puerto Rico–Phil Zimmermann has seen more changes in the the threat landscape in his career than he may care to remember. The inventor of the PGP encryption software and one of the key movers in the crypto wars of the early 1990s, Zimmermann is back in the game now with a new mobile crypto system that’s designed to help take the prospect of government eavesdropping and criminal attacks on mobile communications off the table.

The new venture, Silent Circle, launched last year and was conceived with the idea of giving people in hostile situations a reliably secure communications mechanism, even if they think they may be under active surveillance. Users of the iPhone or Android app can conduct secure, encrypted voice calls with other users. The system relies on an encryption scheme that doesn’t use the public-key infrastructure, something that Zimmermann was adamant about.

“I’m willing to go to great lengths to avoid the public-key infrastructure,” he said in a talk at the Kaspersky Lab Security Analyst Summit here Tuesday. “What could be a more spectacular public failure than that infrastructure?”

Zimmermann said that the recent compromises of certificate authorities such as DigiNotar and Comodo have shown how fragile that infrastructure is, something that many security and cryptography experts have been saying for the better part of a decade. The other thing that Silent Circle doesn’t do is hold any user encryption keys, not even for a second, because the keys never pass through the company’s servers. The crypto operations are done on the client side.

That’s an important point, because it prevents the company from having to deal with any demands from law enforcement agencies looking for encryption keys.

“We really, really don’t have the keys,” he said. “This is for serious people in serious situations. I think probably it’s not a good idea to trust crypto software if they don’t publish the source code. It’s not just [to look for] back doors, but what if they screw up and make a mistake?”

Silent Circle also has secure email and text apps. The company has published the source code for its VOIP app and plans to do the same for its text app next week. Zimmermann said that there is no chance that the company will include any back doors or law-enforcement access mechanisms for its products.

“We’re not going to build in any back doors in our service. I’ve spent my whole career on the principle of no back doors, so I’m not going to start now. One thing we won’t do is cave in.”

Categories: Mobile Security, Privacy

Comments (3)

  1. pogue
    1

    Has anyone tried this product suite out? I’m curious to know if it is compatible between iPhone & Android phones.  It also seems a bit pricey, considering Redphone makes an open source encrypted phone tool for Android that is free & open source.  Although I can’t speak on how secure it is compared to Zimmerman’s product, the source is out there for anyone to take a look.

    The only obvious problem is that the user on the other end has to have the same product on their device.

  2. Gail Ayres
    2

    This seems to be the demise of the electronics communications.  This is insane to allow this to happen out of paranoia!  Think if it were in the criminal’s hands, we think it’s bad now!  We at least have respect for the people who will be using our products. 

  3. Anonymous
    3

    So, what’s the big deal ? All it serves is *assumably* protecting users from governement-evesdropping in the easy sense. They still can access our data through oh-so-many other attack vectors: hardware backdoors, software vulnerabilities (OS and mobile apps) and others.

    I’m more afraid then viruses and bad people (e.g. Cyber crime organizations) then the governement. This will probably be used by criminals more then ordinary people. This product is bad.

Comments are closed.