[stuff y'all knew but for the record] Basically the authors of the below post find that Speak Freely's reliance on out-of-band symmetric key exchange is solved with PGP email.
PGPfone does this for you over the same channel --using the mathemiracle of public-key crypto. Since you're both necessarily online, it can and does use Diffie-Hellman instead of RSA. It does not save the negotiated key pair so if no endpoint is taping, the conversation is lost to the wind. Speak Freely is a nice piece of work, however compared to PGPfone it 1. requires OOB key exchange 2. isn't supported on Macs FWIW. I don't recall if SF works both ways, but PGPfone supports both IP and direct modem to modem links. (Just for completeness, anyone researching the field should evaluate Nautilus too.) At 12:25 PM 6/8/02 +0200, Eugen Leitl wrote: >Date: Sat, 08 Jun 2002 03:42:12 -0500 >From: "Benjamin T. Moore, Jr." <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED], [EMAIL PROTECTED] >Subject: RE: PGP and Speak Freely > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Ok, let me see if I can maybe clarify what the issue is... Speak Freely >offers the ability to encrypt your voice conversations in real time. If you >have the "Crypto capable" version, when you've made a connection to >someone, you both can enter an agreed upon key and your conversation will >be secure from that point forward. This of course creates several problems. >If someone is listening in, monitoring your conversation/traffic or packet >sniffing, if for instance, you were to say in the conversation, lets use >the word "monkey" for an IDEA key and you both typed in the word "monkey," >your conversation would be encrypted using "monkey" as an IDEA key. The >problem of course is, if someone is monitoring your conversation, they'd of >heard you agree upon a key and they'd simply enter in the same key and >continue to monitor. > >Thus, you need a method of securely exchanging either an agreed upon key or >a generated key - Speak Freely will generate keys that you may copy and >paste into any of the various windows for the various encryption >algorithms. PGP, Pretty Good Privacy, is one damn good method of securely >exchanging those keys. You may of course e-mail the key in an encrypted >e-mail or file to the intended recipients or you could even send the >encrypted file using several of the Instant Messaging Clients with a file >transfer protocol. These methods will certainly work very well. However, >take this example which happened to me just last evening. A friend and I >were needing to set up a secure conversation. After we couldn't get Speak >Freely to handle the key exchange, we decided to e-mail the key in a PGP >encrypted e-mail. Trouble was, the mail server was down on his ISP. He >could neither receive or send mail. If he hadn't had an auxiliary web-based >e-mail account, things might have been more complex than they were. > >If Speak Freely were functioning correctly... let me amend that, IF we KNEW >how to make Speak Freely handle the key exchange as described in the help >file... It would have been a simple matter for us to allow Speak Freely to >handle the key exchange. What is supposed to happen is... in the >"connection" tab, you should be able to type the key identifier for the >person(s), Speak Freely will then launch PGP - which it does - encrypt the >generated key and transmit it to the intended recipients. This would >automate secure communications.
