×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Skype Encryption (Partly) Revealed

timothy posted more than 3 years ago | from the skyping-ahead dept.

Encryption 151

TSHTF writes "Just weeks after Skype unveiled a public API for the service, a group of cryptographers led by Sean O'Neill have successfully reverse engineered the encryption used by the Skype protocol. Source code is available under a non-commercial license which details Skype's implementation of the RC4 cipher." The linked article cautions, however, that "initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

151 comments

Oops I farted (-1)

Anonymous Coward | more than 3 years ago | (#32844996)

Oops I farted on a video chat and Skype.

Oh god! I hope no one can break the encryption and see this!!!

So, if I'm reading this right... (2, Insightful)

Reilaos (1544173) | more than 3 years ago | (#32845012)

We're on the way to getting 3rd party Skype applications. Neat.

Re:So, if I'm reading this right... (5, Insightful)

aliquis (678370) | more than 3 years ago | (#32845156)

You know what would be neater? Something not based on a proprietary system, and there are plenty. (Though it could be argued whatever things like SIP is as good.)

Re:So, if I'm reading this right... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32845706)

SIP isn't that great though because there is no encryption. Sure, there is "encryption" like SRTP for SIP but nobody uses it and practically none of the SIP providers support it (quite possibly none support it; I haven't found one at least).

Plus there is the whole momentum thing, lots of people use Skype because it's dead easy to install and it generally "just works." However, the Skype client sucks donkey balls. It's buggy and difficult to use in a non-GUI environment.

With that said, I still use VOIP/SIP for my main phone because Skype-IN seriously sucks (when I had it I would guess 50% of calls went to voicemail instead of ringing my phone even though everything was working normally).

No other cross platform alternative... (4, Insightful)

Anonymous Coward | more than 3 years ago | (#32845816)

...for *video* calls. I use Linux, my daughter uses Apple and my son uses Windows. Skype allows high quality video chat, telephone interconnect/transfer and IP voice calls on all three platforms.

They may be proprietary and bandwith hogs, but the Skype folks certainly offer a free product with great user appeal. Maybe that's why it's so popular?

Video (1)

phorm (591458) | more than 3 years ago | (#32846338)

That used to be the case for me, but more recently on several different machines I've found that I either could not send or receive videos (despite having working cameras on both ends, and the cams working with other apps).

Re:No other cross platform alternative... (1)

aliquis (678370) | more than 3 years ago | (#32846646)

Yeah, the Pidgin people is pretty annoying as far as webcam support goes. Though understandable and it's their time and project so .. Jabber video may not be really there yet.

aMSN should run on all platforms, though the old version is kinda scrapped waiting for the new one.

I don't know if there's any way to use webcam over ICQ in Linux.

Looks like Qnext does video, and it's JAVA, atleast if I remember correctly.

But yeah, Skype is convenient, it works where noone else seem to have succeeded, and it's simple to use. Just suck arse that it's proprietary software and protocols (and servers? To the extent they are used.)

One would had believed Google would had thrown out an alternative which was just as good really fast. Maybe with a client in Android to. And hopefully based on standards.

Re:No other cross platform alternative... (3, Informative)

jrumney (197329) | more than 3 years ago | (#32846712)

SIP based videophone clients are available for all those platforms. They may not be the same client, but because SIP is an open standard they don't have to be to interoperate. Also H.323 clients should be available for all platforms, one even comes with Windows by default (netmeeting) though it doesn't get an icon in the start menu these days.

Re:No other cross platform alternative... (1)

norpy (1277318) | more than 3 years ago | (#32846820)

Netmeeting no longer exists. It has been replaced by "Windows Meeting Space"

Re:No other cross platform alternative... (4, Insightful)

FriendlyLurker (50431) | more than 3 years ago | (#32848580)

I kinda get annoyed when people say "Use SIP" to the "I want to replace Skype with open source/non proprietary" question. Ok so SIP exists and clients are out there, I have even tried a few out with tech orientated friends. Now show me where all my __non tech friends__ can download AND install a sleek simple easy to use SIP client in around three clicks, and be chatting a minute later with no configuration? (the minimum bar that Skype has set). AFAIK such a SIP client does not yet exist - the SIP community has failed to cater even remotely to the only crowd that will actually make SIP relevant on the desktop (and so by extension, other areas).

Key in Open Source S... and google will show you just how popular it is to search for Skype alternatives - the demand is there. Clicking through the search [google.com] shows just how sorry the state of SIP actually is. Top listed "Top ten" lists from 2007, half baked solutions. Hardly comparable to Skype's prominent big download button, about three click install and your talking (over an encrypted link, no less).

I so wish I was wrong about this and there did exist a SIP client where I could email to my non-techy friends and have them chatting in minutes. Maybe one day hopefully, when someone (anyone, please!) in the SIP community get their act together. I'd love nothing more than if someone replied to prove I am wrong here...

So what you're saying about this is (0)

Anonymous Coward | more than 3 years ago | (#32848834)

So what you're saying about this is that the ONLY reason why you like Skype is because they've made a slick installer for all three platforms.

Please tell me how this makes a propriatory solution the ONLY solution?

Skype could open up their protocol so other people could use Skype freely.

Anyone can write a nice installer setting up SIP accepted standard. The problem being that nobody has. All someone has to show you is how to set up one SIP client and that client should be able to talk to any other SIP client, then there's no problem.

the problem is that people like you assume that SIP != Skype and that Skype is the ONLY SOLUTION. It isn't. If Skype were using a SIP configuration others could use, there would be no issue. If people like you didn't DEMAND Skype compatability, others would be able to fill its place.

Re:No other cross platform alternative... (1)

jez9999 (618189) | more than 3 years ago | (#32848602)

one even comes with Windows by default (netmeeting) though it doesn't get an icon in the start menu these days.

And it doesn't start on Windows 7, it crashes.

Re:No other cross platform alternative... (1)

GSV Eat Me Reality (1845852) | more than 3 years ago | (#32847520)

  Primitive, yet newly introduced, communications protocols such as these tend to create a desire to control them in entities that did not originally create them. This has been demonstrated multiple times in humanoid history.

  What is most puzzling about the desire for control is the fact that given a sufficient period of time, the protocols will evolve, the society and culture will evolve, and the entities that desire to control them will be left with no control over them, with the possible exception of what can be preserved by redundant and ultimately short-lived influence on the social mechanisms that are prevalent at the time.

  This seems to be counter productive to the advancement of any society, as it allows the affluent members of the society to gain control over the creative process which advances societies and culture, and therefore stifle it.

  Speaking entirely as a corporeal and yet potentially non-involved entity, is this not contrary to the stated desires of the culture and society, to wit, to advance? Is it not contrary to the very desires of the affluent entities, that the system they live within evolves and therefore produces situations in which they can become more affluent?

  It is surely puzzling.

  GSV Eat Me Reality

 

Re:No other cross platform alternative... (1)

houghi (78078) | more than 3 years ago | (#32848550)

For me that is a reason NOT to use it. You do not want to chat with me and see how I sit behind my computer.

Re:So, if I'm reading this right... (1)

MartinSchou (1360093) | more than 3 years ago | (#32847844)

Plenty?

Okay, here's my "benchmark" for a Skype replacement:
Must be easy to use: My parents both managed to download, install and create new users in the first attempt - without having to read anything other than the on screen instructions.
Must be translated properly: My parents don't speak nor read English at all. They're Danish, and in case you're wondering, that's a language spoken by fewer people than live in New York City.
Must work without fail: Again, should be something mom and dad can get up and running, without having to configure anything other than a username and password.
Must work on other platforms: Shouldn't matter if you're on Windows, OS X or if your kids set up a Linux machine for you. It should still just work.
Must support text, file transfers, audio and video: Just like Skype.

So - your claim was that there were plenty of these. Let's see them.

Re:So, if I'm reading this right... (1)

Arancaytar (966377) | more than 3 years ago | (#32847986)

A different Skype implementation would still have to implement this encryption algorithm that is suspected to be weak, in order to be compatible.

A better idea would be to make a new program with encryption that is actually secure.

Skype still sucks (5, Interesting)

Anonymous Coward | more than 3 years ago | (#32845026)

It is proprietary, centralized, bloatwared, closed, and bandwidth intensive. Simply fixing one of this is not an improvement on the situation.

Unless you happen to be one of the unfortunate souls whose boss requires all communication to be on skype, then maybe a non-crashy linux client will be your savior.

Re:Skype still sucks (1)

iPhr0stByt3 (1278060) | more than 3 years ago | (#32845054)

Name a decent alternative? I like it for what it CAN do.

Re:Skype still sucks (0)

Anonymous Coward | more than 3 years ago | (#32845084)

Oovoo... what do I win?

Re:Skype still sucks (0)

Anonymous Coward | more than 3 years ago | (#32845790)

No linux client. Nothing.

Re:Skype still sucks (1)

Anaerin (905998) | more than 3 years ago | (#32846342)

Did they drop their plans to charge for video calling, then? And where's the linux client? Or the OSX one? Or the handheld Wi-Fi Oovoo devices?

Re:Skype still sucks (3, Interesting)

Jorl17 (1716772) | more than 3 years ago | (#32845122)

Usually I used skype to voice-chat. Then I realized that mumble was good outside gaming. Now I use mumble to do everything and have my own little chat app to communicate via text. Skype is dead for me. Mumble is bandwidth-saving in some cases and the quality is so vastly superior. The disadvantange is that of a centralized server, but I manage that just fine by using an available server OR running my local one. Sure, for conferences it might be worse in terms of bandwidth (all data going to the server = me), but for 2-3 people it is great. This isn't good for video, though, but I don't need that anyway, and I've heard of good apps to do so.

Re:Skype still sucks (3, Interesting)

commodore64_love (1445365) | more than 3 years ago | (#32845198)

>>>Name a decent alternative?

I use a calling card which is only 5 cents per minute and will work regardless where I'm at (home, hotel, payphone along the highway). I've looked at Skype and think it's a cool idea, but don't see that it would save me money, or be as convenient.

Re:Skype still sucks (2, Informative)

fuzznutz (789413) | more than 3 years ago | (#32845346)

Pay-phone? Where do you find pay-phones these days? My daughter's brand new high school has no pay-phone anywhere on the premises. In fact, I can't remember the last pay-phone I saw. I work at a University, and there are no pay-phones in any building on campus.

Re:Skype still sucks (1)

commodore64_love (1445365) | more than 3 years ago | (#32845910)

Turnpike rest stop.
Gas station.
McDonalds.

Or if they don't have one, I use my cellphone but it costs 20 cents a minute so I generally try to use my 5 cent calling card instead. Anyway still don't see the reason to switch to Skype net calling
.

Re:Skype still sucks (-1, Flamebait)

negRo_slim (636783) | more than 3 years ago | (#32846884)

Pay-phone? Where do you find pay-phones these days? My daughter's brand new high school has no pay-phone anywhere on the premises. In fact, I can't remember the last pay-phone I saw. I work at a University, and there are no pay-phones in any building on campus.

You're on Slashdot yet claim to not even know where to find a pay phone. I think we can all agree your an idiot.

Re:Skype still sucks (1)

Colonel Korn (1258968) | more than 3 years ago | (#32845444)

>>>Name a decent alternative?

I use a calling card which is only 5 cents per minute and will work regardless where I'm at (home, hotel, payphone along the highway). I've looked at Skype and think it's a cool idea, but don't see that it would save me money, or be as convenient.

Skype to Skype calls are free, and Skype calls to the United States cost something like $9 for unlimited minutes over 3 months. Skype calls to phones in Europe are around 1-2 cents per minute.

Re:Skype still sucks (1)

Sir_Lewk (967686) | more than 3 years ago | (#32845274)

And millions of people got along just fine with Windows ME.

Just because it works for you, and you like it, doesn't mean that it is good.

Re:Skype still sucks (4, Informative)

caseih (160668) | more than 3 years ago | (#32845572)

For me Gizmo5 and sipgate.com provide all the VoIP services I used to use skype for. In fact when I combine Google Voice with either Gizmo5 or sipgate.com, and a Linksys 3102 SPA box, I can not only replace skype, but replace my land line as well. I also do most voice communication at home, so I ditched my cell plan and got a T-mobile prepaid plan. Now if I receive a call via GV on my cell phone, the moment I walk in the door I can transfer it to VoIP.

If I had an asterisk box set up, I could probably do GV-connected outbound calling automagically from my land phone. At the moment I place most calls via the web interface.

I know Skype can do IM and video chat, but frankly I never needed that. so yes, SIP is a good alternative. And ekiga can do both SIP and video chatting using open protocols. Works quite great, despite SIP's retardedness.

Re:Skype still sucks (0)

Anonymous Coward | more than 3 years ago | (#32847656)

You can get those SPA's to work? Shit, you must be pro!

I've worked at a couple of organizations where they rolled out those SPA's on a relatively large scale, and we couldn't get them to be stable and consistent.

I wouldn't touch that shit for mission critical stuff.

Re:Skype still sucks (1)

xiando (770382) | more than 3 years ago | (#32845606)

Name a decent alternative?

There is a standard called SIP [wikipedia.org] for Internet voicecalls and a vast number of softphone programs, and hardphones, which support it. Call me using Twinkle, Linphone, Ekiga or whatever softphone you want, they all support SIP like my wireless Siemens SIP phone and they all make my phone ring when you dial it.

Re:Skype still sucks (0)

Anonymous Coward | more than 3 years ago | (#32845866)

SIP. Choose the provider you want (there is a lot of them). I use sipnet.ru (Russian) which even allows free calls to skype.

Re:Skype still sucks (1)

Pentium100 (1240090) | more than 3 years ago | (#32846804)

Does it support text chat? I use Skype mainly for text chat, but sometimes I also call and use it as voice chat for games (not having the voice chat app and the game on the same computer is helpful).

Re:Skype still sucks (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32845524)

It is proprietary, centralized, bloatwared, closed, and bandwidth intensive. Simply fixing one of this is not an improvement on the situation.

I like FOSS as much as the next guy but making things open source does not magically eliminates any of these problems. I've seen plenty of FOSS code that suffers from being centralized, bloatwared and bandwidth intensive plus being insecure, badly designed, counterintuitive to use, .... , the list goes on. Bad coders are bad coders no matter where they work.

...then maybe a non-crashy linux client will be your savior.

Halleluja!!!

Re:Skype still sucks (2, Informative)

westlake (615356) | more than 3 years ago | (#32845840)

It is proprietary, centralized, bloatwared, closed, and bandwidth intensive.
maybe a non-crashy linux client will be your savior.

There are about 500 million Skype accounts.

40 million or so people using the service on any given day. Skype [wikipedia.org]

You don't "dial out" to stress-test the technology - you dial out in the hope that someone will be there to answer your call.

Re:Skype still sucks (1)

johanw (1001493) | more than 3 years ago | (#32847330)

But is has one main advantage over all other clients: decent encryption. When governments start complaining they can't decrypt the calls, like the Indian did, you know you're on the right track.

Re:Skype still sucks (0)

Anonymous Coward | more than 3 years ago | (#32847852)

"maybe a non-crashy linux client will be your savior"

It'll have to be command-line Skype then, because we're sadly still waiting for someone to develop a single linux gui app that has popular appeal or at least doesn't suck royal balls.

Re:Skype still sucks (1)

arivanov (12034) | more than 3 years ago | (#32848018)

Add to that - its "state of the art cryptography" is highly questionable. RC4 is a prehistoric algo.

While it is not a bad algo per-se it is extremely easy to f*** up at the implementation level. WiFi is one example of such royal cockup. There are others.

I would not trust a proprietary system that has not been open to scrutiny to implement RC4 based crypto correctly.

C&D (2, Insightful)

pak9rabid (1011935) | more than 3 years ago | (#32845030)

Queue the cease and desist in 3...2...1...

Re:C&D (0)

Anonymous Coward | more than 3 years ago | (#32845136)

A C&D for a clean-room reversed engineering of a publicly-available algorithm? Methinks not.

Universal v. Reimerdes (2, Informative)

tepples (727027) | more than 3 years ago | (#32845956)

A C&D for a clean-room reversed engineering of a publicly-available algorithm? Methinks not.

Methinks so. Universal v. Reimerdes.

Re:C&D (1)

Imagix (695350) | more than 3 years ago | (#32845290)

Egad.... yet another person who doesn't know the difference between a line-up and a signal. _Cue_ the C&D in 3... 2... 1...

Re:C&D (0)

Anonymous Coward | more than 3 years ago | (#32845348)

Egad.... yet another person who doesn't know the difference between a line-up and a signal.

_Cue_ the C&D in 3... 2... 1...

Queue all of the people correcting his mistake in 3...2...1... Preferably after lmagix.

(cue works there too, fwiw)

I could care less about a simple mistake.

And so I will.

Re:C&D (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32845416)

You could care less? Therefore, you do care more than not caring?

The phrase is, "I couldn't care less". Just like "2nd to none" = "1st", "Couldn't care less" = "don't care at all".

Re:C&D (0)

Anonymous Coward | more than 3 years ago | (#32848004)

Good job, you're retarded.

Re:C&D (-1, Troll)

pak9rabid (1011935) | more than 3 years ago | (#32845422)

Har har har. Why don't you grab a cushion off your mom's couch and a wrapping paper tube and go play with the other LARPers [wikipedia.org].

Re:C&D (1)

omnichad (1198475) | more than 3 years ago | (#32845420)

If you're going to queue them, go in order: 1. There's only one cease and desist coming, right? If you're counting down, you're probably cueing.

Reverse Engineered (0)

Anonymous Coward | more than 3 years ago | (#32845078)

Isn't reverse engineering such as this a clear violation of the DMCA?

Re:Reverse Engineered (1)

omnichad (1198475) | more than 3 years ago | (#32845452)

If the person who did it was American, or if an American uses the code then sure.

Re:Reverse Engineered (2, Insightful)

omnichad (1198475) | more than 3 years ago | (#32845478)

Oh, this could be used for interoperability - something explicitly allowed under DMCA. It's just like reverse engineering Word's .doc format.

Re:Reverse Engineered (1)

cgenman (325138) | more than 3 years ago | (#32846180)

The DMCA only covers copyrighted content protection, not things like garage door openers.

You could argue that the contents of the communication are a copyrighted performance created by the two participants, but it probably wouldn't hold much weight in court.

Re:Reverse Engineered (1)

AHuxley (892839) | more than 3 years ago | (#32846420)

Yes, make a free app from the clean room effort fine, start a mapping of skype phones in use and keeping data, bad.

Well (2, Interesting)

Irick (1842362) | more than 3 years ago | (#32845090)

Hopefully this means we will see some more 3rd party clients, and maybe some Jabber integration.

sooo... (1)

igadget78 (1698420) | more than 3 years ago | (#32845110)

Interesting that they use multiple encryption algorithyms for their communication. simple yet apparently effective.

Re:sooo... (1)

Sir_Lewk (967686) | more than 3 years ago | (#32845250)

As I'm reading TFA, it seems to me it's just a modified version of RC4. Hardly terribly interesting or new.

Re:sooo... (1)

ducomputergeek (595742) | more than 3 years ago | (#32845326)

but nothing beats my 10xROT13 cipher! It's encrypted 10 times!. 10 times I tell ya! Try and beat that Citizen Protector....or whatever the NSA is calling it these days...

Re:sooo... (1)

Fumbili (1820232) | more than 3 years ago | (#32846068)

but nothing beats my 10xROT13 cipher! It's encrypted 10 times!. 10 times I tell ya! Try and beat that Citizen Protector....or whatever the NSA is calling it these days...

Mine goes to 11

Re:sooo... (0)

Anonymous Coward | more than 3 years ago | (#32848884)

you amateurs and your rot13. use rot26 like us real pros.

Wasn't this done years ago? (5, Interesting)

Wesley Felter (138342) | more than 3 years ago | (#32845146)

On the Wikipedia page http://en.wikipedia.org/wiki/Skype_protocol [wikipedia.org] I see presentations from 2004 and 2006 about reversing Skype, including its encryption. What's new here compared to the previous work?

Re:Wasn't this done years ago? (1)

AnonymousClown (1788472) | more than 3 years ago | (#32845514)

On the Wikipedia page http://en.wikipedia.org/wiki/Skype_protocol [wikipedia.org] I see presentations from 2004 and 2006 about reversing Skype, including its encryption. What's new here compared to the previous work?

Nothing. The references in your links were for academic and industry consumption. The Register article was for public consumption.

That's about the only thing I can figure.

Re:Wasn't this done years ago? (1)

Threni (635302) | more than 3 years ago | (#32846210)

At least this time the Register isn't fallng for another obviously fake 'story'.

Re:Wasn't this done years ago? (1)

blair1q (305137) | more than 3 years ago | (#32846228)

You mean this time someone's making money on every click, and is probably crapping their piggy-bank upon getting the article submitted to slashdot...

Re:Wasn't this done years ago? (0, Flamebait)

Profane MuthaFucka (574406) | more than 3 years ago | (#32847170)

Let me get this straight. Presumably you've known a few journalism students in your lifetime. Probably you've even talked to them too. Most likely you realized what fucking idiots they all are, being incurious types more likely to have a crush on a bartender than a serious engineering student.

Why are you expecting that a journalist might produce something that you, a person likely of normal or higher intelligence, would find useful?

Re:Wasn't this done years ago? (0)

Anonymous Coward | more than 3 years ago | (#32847600)

In Soviet Russia, BARTENDER has crush on YOU!

implications? (3, Insightful)

Eil (82413) | more than 3 years ago | (#32845430)

None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known. This is why you can have software like GPG and the zillion open source AES implementations and still use them to reliably protect data from interception.

What would weaken Skype's security was if someone found a shortcut (by way of a bug or design flaw) to decrypting the data without knowledge of the keys being used. According to TFA, this is what the O'Neill is working on now.

That said, the source material that O'Neill provided mentions only symmetric ciphers, which means that the keys might be buried in the Skype binaries somewhere. If that's the case, then finding those would break Skype's encryption wide open. But I rather doubt that will happen. We're only seeing part of the story here and I'd bet dollars to donuts that they're using one or more asymmetric ciphers somewhere to transmit keys for the symmetric ciphers.

Re:implications? (0)

Anonymous Coward | more than 3 years ago | (#32845628)

Can't they just derive the symmetric keys from the users password?

Re:implications? (5, Informative)

0123456 (636235) | more than 3 years ago | (#32845656)

None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known

ROT13 isn't secure when it's known.

Like ROT13, RC4 is an antiquated cipher with many known issues; and a modified version of RC4 could be even less secure than the vanilla implementation. No-one should be using it these days when there are much better alternatives available.

Re:implications? (2, Informative)

swillden (191260) | more than 3 years ago | (#32847492)

None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known

ROT13 isn't secure when it's known.

ROT13 isn't encryption. It's a trivial unkeyed encoding.

Like ROT13, RC4 is an antiquated cipher with many known issues; and a modified version of RC4 could be even less secure than the vanilla implementation. No-one should be using it these days when there are much better alternatives available.

RC4 is also a widely-known and deeply-studied cipher. It has some known weaknesses, but workarounds for those weaknesses are also known. It's also very efficient and a stream cipher is the right kind of cipher for this application. I agree that there are better alternatives, but unless they mucked up the implementation, there's every reason to believe that Skype's encryption is secure.

Re:implications? (1)

nullchar (446050) | more than 3 years ago | (#32847782)

unless they mucked up the implementation, there's every reason to believe that Skype's encryption is secure.

Perhaps secure from a random researcher, but not secure from a dissident's point of view. If the encryption is not end-to-end (with client-managed PKs), then it is useless, even if it's strong and secure.

The problem is, no one knows if the link is only encrypted between the clients and the server, or only encrypted between the clients. We also don't know if each client maintains its own private asymmetric key or if the server is the only private key holder.

Re:implications? (1)

BitZtream (692029) | more than 3 years ago | (#32847496)

ROT13 is an acceptable form of encryption even when everyone knows what it is, assuming that the third party that isn't supposed to see it can't see it before its useless.

No encryption is perfect. All are 'breakable' in the loosest sense of the word. The question is can you decrypt the data before it is of no value to decrypt it.

Considering 99.9999999999999999999999999% of the traffic sent using the Skype protocol has no value to anyone other than the parties involved anyway than the strength of the encryption doesn't probably have to be that high in order to make it high enough to be safe from a practical perspective.

Its probably easier to just bug your house than to deal with the encryption. Mission accomplished.

If it turns out that a moderately fast computer or small cluster can break and decrypt in real time from the output of tcpdump, that would be bad. If I can throw a bunch of EC2 hosts at someones conversation and decrypt it for a reasonable price ... now we have a serious problem.

Actually, I think I just came up with a business plan ...

Skype may have better security than you think (2, Interesting)

DigitAl56K (805623) | more than 3 years ago | (#32845686)

Cryptome hosts this 2007 document:

http://cryptome.org/isp-spy/skype-spy.pdf [cryptome.org]

* Skype can provide records showing account creation, financial transaction and use of PSTN interconnections
* Due to the way by which Skype works, Skype does NOT have any records of user “logins”, “log offs” or other general online/offline status
* The Skype system is designed in such a way that voicemail is not centrally stored
* Calls, IMs and other activities between Skype users do not create billing records

Everything there implies that if you want your communications to be private with respect to what can be provided in response to a subpeona then Skype isn't a bad platform. As to what can be intercepted obviously that is not covered because it's not relevant to that document.

Re:implications? (2, Interesting)

Caledfwlch (1434813) | more than 3 years ago | (#32845810)

There is a positive implication.... it may count partly towards the transparency that the Indian security agencies want ;-)

Re:implications? (2, Informative)

Sloppy (14984) | more than 3 years ago | (#32845834)

None of this harms Skype's existing security in any way

That depends on what you mean by "security." If "security" means having a monopoly on sales of an implementation of a popular protocol... ;-)

We're only seeing part of the story here and I'd bet dollars to donuts that they're using one or more asymmetric ciphers somewhere to transmit keys for the symmetric ciphers.

The big question about Skype has always been: how are the using the asymmetic stuff? How does each client know whose public key it's using?

Re:implications? (2, Insightful)

Wesley Felter (138342) | more than 3 years ago | (#32845838)

It's not about security; revealing the protocol hurts Skype's lock-in. For example, the Skype-Asterisk gateway is $66 per channel; imagine if someone created an open source version.

Re:implications? (0)

Anonymous Coward | more than 3 years ago | (#32846498)

There is no key. That's the point. It's an IV expansion algorithm. The 32-bit IV is transmitted in clear in the header of the packet. It's an obfuscation layer that relies merely on no one knowing this algorithm. The implications of this publication are quite serious. Vanilla Skype team did not publish this algorithm. There is no key to break to decrypt the traffic.

Re:implications? (1)

johanw (1001493) | more than 3 years ago | (#32848016)

The already mentioned Wikipedia article (https://secure.wikimedia.org/wikipedia/en/wiki/Skype) mentions the use of RSA but is not sure. Why are you so sure they don't use asymmetric crypto?

The key scheduling is what's important (5, Informative)

bk2204 (310841) | more than 3 years ago | (#32845766)

The actual RC4 cipher has bad key scheduling issues. Because the initialization step doesn't mix the key bytes well enough into the S-box, the first bytes of the keystream (which is XOR'd with the plaintext to produce the ciphertext) leak lots of data about the key. This is a major problem with WEP (there are, of course, others). Cryptographers recommend discarding the beginning of the keystream because of this weakness. Nevertheless, RC4 is popular because it is byte-oriented and fast. Even 8-bit machines can implement it trivially.

Ultimately, it comes down to the key scheduling. If Skype has a better key-scheduling algorithm, it may actually improve security over standard RC4.

Re:The key scheduling is what's important (1)

FormOfActionBanana (966779) | more than 3 years ago | (#32846308)

Interesting... but I wouldn't bet my whole paycheck that the Skype guys, rolling their own encryption, from a weak (RC4) starting point, just stumbled upon something better than the good modern crypto hashes available.

Re:The key scheduling is what's important (4, Insightful)

swillden (191260) | more than 3 years ago | (#32847504)

Ultimately, it comes down to the key scheduling. If Skype has a better key-scheduling algorithm, it may actually improve security over standard RC4.

I would hope they didn't create a custom key scheduling algorithm. Odds are good that what they created would be worse. It would be much better to use the standard key schedule and discard the first 2 KB of the keystream -- which is what cryptographers suggest when using RC4.

There is no RC4 key! (0)

Anonymous Coward | more than 3 years ago | (#32846536)

Everyone is so concerned with the strength of this algorithm... What does it matter if there is no secret key to break? The whole thing relies only on the secrecy of this algorithm! Just check the Wikipedia article and the Vanilla Skype docs.

I hope Skype doesn't bury these guys under 6 feet of dirt and a deadly law suit and they publish everything else - compression, key management, digital signatures, user authentication, P2P AES-256 encryption... We want more! We want more! We want more!

Does this mean... (1)

LuYu (519260) | more than 3 years ago | (#32846716)

Does this mean we can finally have Skype protocol built into Pidgin? I would love to stop using Skype's crapware.

fu"xcker (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#32847502)

consistent with the us the courtesy dyIng. See? It's eyes on the real OF AMERICA IRC

Skype Will Change As Telecoms Change (1)

pandrijeczko (588093) | more than 3 years ago | (#32848570)

The VoIP world is going the way of open standards with SIP [wikipedia.org] - if Skype don't adapt to embrace SIP, they'll just edge themselves out of the marketplace.

The biggest VoIP business provider Avaya [wikipedia.org] has been moving to SIP for years and, interestingly though maybe not relevant, are owned mostly by the Silver Lake investors, who also own most of Skype.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...