ZRTP is a new secure VoIP phone software product which lets you make secure encrypted phone calls over the Internet. It lets you whisper privately in someone's ear from a thousand miles away.

The ZRTP protocol used by Ripcord will soon be integrated into many standalone secure VoIP clients, but today we have Ripcord Secure: pc, a software product that lets you turn your existing VoIP client into a secure phone, or Ripcord Secure: appliance, a portable hardware device that has ZRTP embedded. The current ZRTP software runs in the Internet protocol stack on any Windows XP, Mac OS X, or Linux PC, and intercepts and filters all the VoIP packets as they go in and out of the machine, and secures the call on the fly. You can use a variety of different software VoIP clients to make a VoIP call. The ZRTP software detects when the call starts, and initiates a cryptographic key agreement between the two parties, and then proceeds to encrypt and decrypt the voice packets on the fly. It has its own little separate GUI, telling the user if the call is secure. It's as if ZRTP were a "bump on the wire", sitting between the VoIP client and the Internet. Think of it as a software bump-on-the-wire, or a bump in the protocol stack.

Ripcord will also license ZRTP to allow VoIP product vendors to integrate encryption into their products.

The ZRTP protocol has some attractive cryptographic features lacking in many other approaches to VoIP encryption.

Although it uses a public key algorithm, it does not rely on a public key infrastructure (PKI). In fact, it does not use persistent public keys at all. It uses ephemeral Diffie-Hellman with hash commitment, and allows the detection of man-in-the-middle (MiTM) attacks by displaying a short authentication string for the users to read and compare over the phone.

ZRTP has perfect forward secrecy, meaning the keys are destroyed at the end of the call, which precludes retroactively compromising the call by future disclosures of key material. But even if the users don't bother with short authentication strings, you still get authentication against a MiTM attack, based on a form of key continuity.

ZRTP does this by caching some key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to SSH. All this is done without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world.

ZRTP also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. ZRTP performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. And ZRTP supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.

There are good reasons why ZRTP does not rely on a PKI approach. There are major problems and complexities with building, maintaining, and relying on PKI. That's why in the 1990s, a number of companies died trying to build and market PKI technology.

See Ellison and Schneier's paper Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure and Ellison's paper Improvements on Conventional PKI Wisdom.

A free beta release of the Ripcord Secure: pc with ZRTP is available for download for Windows XP, Mac OS X, or Linux.

ZRTP runs on the 32-bit version of Windows XP. Although we don't support Windows 64-bit XP Pro in this release, that will come soon. However, we don't support Vista yet. ZRTP will encrypt audio and video for Apple iChat calls on Mac OS X (Tiger), but does not yet work on the new iChat in Mac OS X (Leopard). ZRTP has been tested with these VoIP clients: X-Lite, Gizmo, XMeeting, Google Talk VoIP client, and SJphone. ZRTP does not work with Skype.