The use of ZRTP in our SIP firmware

The 0cpm Firmerware places a relatively strong emphasis on ZRTP for media encryption. One could wonder why.

First of all, this project was started by the cryptographer behind OpenFortress, so it is a bit of a habit ;-) but underpinning that habit is a belief in a fundamental right to communicate privately.

Many calls may not require privacy of any kind. Still, a percentage of these calls is listened into; tax money is wasted on the people listening into it, and the targeted telecom operator usually charges its customers for the tapping efforts that they are forced to comply with. This is in fact a waste of money, which can be avoided by encrypting such everyday calls as a matter of course.

Other calls do carry sensitive information; for example, business discussions about future development plans or pricing schedules; or private calls in which a password or credit card number is exchanged. It is a great relief to know for certain that such calls cannot be tapped; not even when making a call over a network not controlled by you.

ZRTP is a general mechanism that quietly applies encryption to all media streams, provided of course that both ends support it. For the strongest security, one should verify a ZRTP key token once to be sure that nobody could have wiggled between you and your remote contact, but even if you didn't bother with that you would end up with pretty good privacy.

Encryption is a typical dual-use technology, meaning that it can be used to protect the privacy of good guys as well as bad guys. In light of this, it is common practice to refer to terrorism to convince people to give up their privacy, but that argument is in fact flawed. The idea behind public support for privacy is that the bad guys are not stupid, and can easily get hold of encryption technology or other tricks to conceal their actions, so any outlawing or discouraging of privacy would only impact the privacy of people who mean to do no harm.

Specifically for SIP-based telephony, it is worth noting that privacy only applies to media, and not to call setup. The information that party A calls party B at a certain time remains unprotected. This means that networks of connected people can still be traced, which is probably the most important information that criminal organisations want to hide. In other words, the setup that we have created around the 0cpm Firmerware is not going to look favourable if you think of society as a target for illegal exploitation.