Original URL: http://www.theregister.co.uk/2012/11/21/silent_circle/

PGP Zimmermann teams with Navy SEALs, SAS techies in London

Offers 'Silent Phone' crypto to biz, aid workers

By John Leyden

Posted in Security, 21st November 2012 10:28 GMT

Encryption guru Phil Zimmermann is going after security conscious users with his new venture Silent Circle, a security start-up offering ultra-secure VoIP and texting services.

Silent Circle, which opened a UK office this week, charges a monthly subscription of $20 (£13) per month for a bundle of secure voice, text and video services.

Zimmermann, creator of the Pretty Good Privacy (PGP) program, told El Reg that he's done with "trying to convince people that didn't know about crypto that they needed to use encryption". Instead Silent Circle is targeting US forces based overseas, businessmen visiting China and human rights workers: "who know that they need crypto because they are under high threat".

Silent Circle chief exec and co-founder, Mike Janke, said the start-up had ambitions to target the business community as well as power users, thereby gaining a foothold into the enterprise through the industry-wide Bring Your Own Device Trend. Janke is an former Navy SEAL sniper who approached Zimmermann with the idea for a business that became Silent Circle around a year ago.

Silent Circle released a suite of iOS apps in October, and plans to release complementary Android apps in December. The "curated crypto apps", as Zimmermann describes them, offer Silent Phone (secure VoIP), Silent Text (encrypted messaging) and Silent Eyes (desktop videoconferencing, initially only Windows compatible).

Silent Phone offers secure mobile video and voice. The technology uses the ZRTP encryption developed by Zimmermann, and is designed to work over mobile and WiFi networks.

A forthcoming Silent Mail product will be based on PGP Universal and designed to run on smartphones, tablets, and computers using your existing mail program (Outlook, Mac Mail). Secure business packages, calling plans and enterprise packages are also in the works.

Client to client communications using Silent Circle will offer end to end encryption. Users using Silent Circle apps to call from China to landlines in the West, for example, will get the benefit of encryption on the first leg of their journey, to Silent Circle's dedicated servers in Canada. Crypto keys for VoIP calls are thrown away as soon as they are used and texts are encrypted on a device. Communications data, such as IP logs, are kept for 24 hours, and only used for debugging.

"Users don't even have to trust us. They don't have to be worried about Silent Circle being coerced into doing wiretapping," Zimmerman explained.

Janke added that Silent Circle "retained the least amount of data possible" limited to username, email address, hashed password, short-term IP logs and 10 digit private phone number. Credit Card processor Stripe holds the customer credit card data, not Silent Circle.

Silent Circle's site explains the benefits and limitations (the risk of shoulder surfing, malware etc) of its technology.

Our secure communications products use “Device to Device Encryption” – the keys that encrypt your communications are generated on your device and discarded when unneeded. The only exception is Silent Mail which either uses PGP keys you create and manage yourself or allows you to have our PGP Universal server generate them for you.

We do not have the ability to decrypt your communications across our network and nor will anyone else - ever. Silent Phone, Silent Text and Silent Eyes all use end-to-end encryption and erase the session keys from your device once the call or text is finished. Our servers don’t hold the keys.

The technology distinguishes itself from Skype and most mobile voice encryption products by publishing source code, something Janke said appealed to its potential government customers.

Faced with the challenge of intercepting the Skype and IM conversations of terrorist and criminal suspects, law enforcement agencies have increasingly decided to use Trojans as wiretapping tools rather than trying to decipher encrypted traffic. Both Janke and Zimmermann readily conceded that Silent Circle was "not a magic bullet" and wouldn't protect users of compromised devices.

However Zimmermann said that Silent Circle's trust model is specially designed to detect and block man in the middle digital certificate attacks such as the DigiNotar compromise that exposed the privacy of Gmail, Skype and Yahoo users in Iran last year.

The level of security offered by Silent Circle might have appeared to appeal to only a paranoid niche, who would probably have insisted on hardware-based encryption anyway, just a few years ago. But the desire to use the latest smartphones or tablets combined with growing concerns about industrial espionage and privacy have created a potential market for its services and technology.

The combination of the PGP founder teaming up with two Navy SEALs and three British SAS Special Forces communications experts* offers frankly unmatchable geek credibility. ®

Bootnote

*Perhaps actually from 18 Signals Regiment, the electronic warfare/SIGINT/ELINT/communications formation supporting the UK Special Forces. Though there are signaller specialists who are fully badged members of the SAS itself, 18 Regiment would probably have a higher level of corporate expertise.