Re: Can Skype be wiretapped by the authorities? (fwd from em@em.no-ip.com)
----- Forwarded message from Enzo Michelangeli <em@em.no-ip.com> -----
On Sun, 9 May 2004, Eugen Leitl wrote:
Not only that: NATted agents cannot be "called" unless they first register with some reflector on the open Internet. And centralized reflectors are, again, easy to attack, and also expensive to operate, as the bandwidth requirements are substantial (all the traffic flows through them): see e.g. John Walker's analysis of the reasons that led him to abandon SpeakFreely at http://www.fourmilab.ch/speakfree/ .
Thomas Shaddack suggested to leverage on Jabber, but:
1. Jabber uses TCP as transport, and therefore can't be efficiently used as transport for telephony, i.e. using encapsulation of the voice packets in the Jabber protocol in order to traverse NAT devices.
Oh! There is a little misunderstanding here! I proposed using Jabber for the presence/location/directory thing, and for negotiation between the clients about what method to use, if they can do direct peer-to-peer call or have to use a reflector (and what one), what cipher and key to use, etc. - the Jabber protocol is rather unsuitable for VoIP.
2. Jabber is based on a client-server paradigm similar to e-mail. Running a Jabber server requires an always-on machine with its own domain name; and, although dynamic DNS can help, the model again tend to be hierarchical, easy to attack etc. That pretty much rules it out also for session initiation, directory/presence etc.
That's true - but it can be implemented with relative ease, with lots of infrastructure already existing. Next generation of the system then can be built atop this.
The beauty of Skype, encryption aside, is that it's based on an overlay network solely based on P2P servents, relies (if their FAQ tells the truth) upon NO central registry for presence and directory services, and each client that runs non-NATted can transparently act as reflector supporting NATted users. Plus, all this (including, besides voice, text-based instant messaging) works with zero configuration with an idiotproof UI.
But it's closed-source and so can't be fully trusted :(
AES is the American Encryption Standard, formerly known as Rijndael. Does anyone really think the US Government would be so daft as to adopt an algorithm they don't know how to break? On May 9, 2004, at 1:36 PM, Eugen Leitl wrote:
----- Forwarded message from Enzo Michelangeli <em@em.no-ip.com> -----
From: "Enzo Michelangeli" <em@em.no-ip.com> Date: Thu, 29 Apr 2004 20:01:57 +0800 To: <cryptography@metzdowd.com> Cc: "Axel H Horns" <axel.h.horns@gmx.net> Subject: Re: Can Skype be wiretapped by the authorities? X-Mailer: Microsoft Outlook Express 6.00.2800.1409
----- Original Message ----- From: "Axel H Horns" <axel.h.horns@gmx.net> To: <cryptography@metzdowd.com> Sent: Wednesday, April 28, 2004 4:49 AM Subject: Can Skype be wiretapped by the authorities?
Is something known about the details of the crypto protocol within Skype? How reliable is the encryption?
See e.g.
http://www.financialcryptography.com/mt/archives/000076.html
Can Skype be wiretapped by the authorities? With collaboration of the Skype operator? Without?
What do you mean with "operator"? AFAIK, the system is fully peer-to-peer (http://www.skype.com/skype_p2pexplained.html ).
Regarding the crypto, at http://www.skype.com/help_faq.html#Technical they say:
What type of encryption is used?
Skype uses AES (Advanced Encryption Standard) - also known as Rijndel - which is also used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys. User public keys are certified by Skype server at login.
OK, so "Rijndael" is misspelled and the RSA-based key exchange does not provide forward secrecy, but apart from that it doesn't smell like snake oil. Not too bad, at least.
BUT, unfortunately, the implementation is closed source, so there are no guarantees that the software is not GAKked. And yes, definitely an opensource (and multiplatform) alternative would be a cool thing to have. A message I posted a while ago to the list p2p-hackers was reposted by Eugene Leitl to cypherpunks (http://www.mail-archive.com/cypherpunks@minder.net/msg81814.html ) but the couple of followups it elicited didn't seem to center the issues I raised. I didn't reply then because I'm not a subscriber of cypherpunks any longer, so I'd like to take this occasion for doing it here now:
Major Variola (ret) commented (indented lines, followed by my comment): [...]
Skype claims to use RSA-based key exchange, which is good for multi-party conferencing but does not preserve forward secrecy. Maybe some variant of ephemeral D-H authenticated by RSA signatures, with transparent renegotiation every time someone joins the conference, could do the job better.
RSA (ie persistant keys) may be an option but MUST NOT be required, for secrecy reasons as mentioned. (At worst RSA keys can be used once, then discarded. Lots of primes out there :-)
Well, I don't see why RSA signatures (only for authentication of the key exchange) could endanger forward secrecy.
Also, this is *voice*, ie biometric auth, so public-key-web-o-trust verislime scam is unnecessary at best.
It's not only voice, it's also IM-style text chat. And even with voice, biometric authentication becomes awkward to use with conference calls.
[...]
One could always implement a brand new network, using Distributed Hash Table algorithms such as Chord or Kademlia,
We don't give a flying fuck as to which shiny new algorithm you use, although were we a graph theory wonk, we might care.
The issue here is that DHT algorithms allow to implement a fully distributed directory, which means one much more resistant to attacks (especially from institutional attackers) than implementations based on centralized servers (see, in a related fild, the different destinies of Napster and its distributed successors such as Overnet or the less efficient Gnutella). Still, a full search takes O(log(n)) steps, making them practical for implementing directory/presence services.
[...]
but it would be much easier to rely from the very beginning upon a large number of nodes (at least for directory and presence functionality, if not for the reflectors which require specific UDP code).
What the NAT world (yawn) needs is free registry services exploitable by any protocol. Those NAT-users with RSA-clue can sign their registry entry.
Not only that: NATted agents cannot be "called" unless they first register with some reflector on the open Internet. And centralized reflectors are, again, easy to attack, and also expensive to operate, as the bandwidth requirements are substantial (all the traffic flows through them): see e.g. John Walker's analysis of the reasons that led him to abandon SpeakFreely at http://www.fourmilab.ch/speakfree/ .
Thomas Shaddack suggested to leverage on Jabber, but:
1. Jabber uses TCP as transport, and therefore can't be efficiently used as transport for telephony, i.e. using encapsulation of the voice packets in the Jabber protocol in order to traverse NAT devices.
2. Jabber is based on a client-server paradigm similar to e-mail. Running a Jabber server requires an always-on machine with its own domain name; and, although dynamic DNS can help, the model again tend to be hierarchical, easy to attack etc. That pretty much rules it out also for session initiation, directory/presence etc.
The beauty of Skype, encryption aside, is that it's based on an overlay network solely based on P2P servents, relies (if their FAQ tells the truth) upon NO central registry for presence and directory services, and each client that runs non-NATted can transparently act as reflector supporting NATted users. Plus, all this (including, besides voice, text-based instant messaging) works with zero configuration with an idiotproof UI.
Enzo
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
Hasan Diwan {http://ibn.com/~hdiwan} OpenPGP Fingerprint: 275D 0E84 550C D92A 4A56 732C 8528 2579 E6E9 4842 [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Like it matters. Do you really think that the government would really allow Intel and AMD to sell CPUs that didn't have tiny transmitters in them? Your CPU is actually transmitting every instruction it executes to the satellites. On Mon, May 10, 2004 at 11:14:49AM -0700, Hasan Diwan wrote:
AES is the American Encryption Standard, formerly known as Rijndael. Does anyone really think the US Government would be so daft as to adopt an algorithm they don't know how to break? On May 9, 2004, at 1:36 PM, Eugen Leitl wrote:
----- Forwarded message from Enzo Michelangeli <em@em.no-ip.com> -----
From: "Enzo Michelangeli" <em@em.no-ip.com> Date: Thu, 29 Apr 2004 20:01:57 +0800 To: <cryptography@metzdowd.com> Cc: "Axel H Horns" <axel.h.horns@gmx.net> Subject: Re: Can Skype be wiretapped by the authorities? X-Mailer: Microsoft Outlook Express 6.00.2800.1409
----- Original Message ----- From: "Axel H Horns" <axel.h.horns@gmx.net> To: <cryptography@metzdowd.com> Sent: Wednesday, April 28, 2004 4:49 AM Subject: Can Skype be wiretapped by the authorities?
Is something known about the details of the crypto protocol within Skype? How reliable is the encryption?
See e.g.
http://www.financialcryptography.com/mt/archives/000076.html
Can Skype be wiretapped by the authorities? With collaboration of the Skype operator? Without?
What do you mean with "operator"? AFAIK, the system is fully peer-to-peer (http://www.skype.com/skype_p2pexplained.html ).
Regarding the crypto, at http://www.skype.com/help_faq.html#Technical they say:
What type of encryption is used?
Skype uses AES (Advanced Encryption Standard) - also known as Rijndel - which is also used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys. User public keys are certified by Skype server at login.
OK, so "Rijndael" is misspelled and the RSA-based key exchange does not provide forward secrecy, but apart from that it doesn't smell like snake oil. Not too bad, at least.
BUT, unfortunately, the implementation is closed source, so there are no guarantees that the software is not GAKked. And yes, definitely an opensource (and multiplatform) alternative would be a cool thing to have. A message I posted a while ago to the list p2p-hackers was reposted by Eugene Leitl to cypherpunks (http://www.mail-archive.com/cypherpunks@minder.net/msg81814.html ) but the couple of followups it elicited didn't seem to center the issues I raised. I didn't reply then because I'm not a subscriber of cypherpunks any longer, so I'd like to take this occasion for doing it here now:
Major Variola (ret) commented (indented lines, followed by my comment): [...]
Skype claims to use RSA-based key exchange, which is good for multi-party conferencing but does not preserve forward secrecy. Maybe some variant of ephemeral D-H authenticated by RSA signatures, with transparent renegotiation every time someone joins the conference, could do the job better.
RSA (ie persistant keys) may be an option but MUST NOT be required, for secrecy reasons as mentioned. (At worst RSA keys can be used once, then discarded. Lots of primes out there :-)
Well, I don't see why RSA signatures (only for authentication of the key exchange) could endanger forward secrecy.
Also, this is *voice*, ie biometric auth, so public-key-web-o-trust verislime scam is unnecessary at best.
It's not only voice, it's also IM-style text chat. And even with voice, biometric authentication becomes awkward to use with conference calls.
[...]
One could always implement a brand new network, using Distributed Hash Table algorithms such as Chord or Kademlia,
We don't give a flying fuck as to which shiny new algorithm you use, although were we a graph theory wonk, we might care.
The issue here is that DHT algorithms allow to implement a fully distributed directory, which means one much more resistant to attacks (especially from institutional attackers) than implementations based on centralized servers (see, in a related fild, the different destinies of Napster and its distributed successors such as Overnet or the less efficient Gnutella). Still, a full search takes O(log(n)) steps, making them practical for implementing directory/presence services.
[...]
but it would be much easier to rely from the very beginning upon a large number of nodes (at least for directory and presence functionality, if not for the reflectors which require specific UDP code).
What the NAT world (yawn) needs is free registry services exploitable by any protocol. Those NAT-users with RSA-clue can sign their registry entry.
Not only that: NATted agents cannot be "called" unless they first register with some reflector on the open Internet. And centralized reflectors are, again, easy to attack, and also expensive to operate, as the bandwidth requirements are substantial (all the traffic flows through them): see e.g. John Walker's analysis of the reasons that led him to abandon SpeakFreely at http://www.fourmilab.ch/speakfree/ .
Thomas Shaddack suggested to leverage on Jabber, but:
1. Jabber uses TCP as transport, and therefore can't be efficiently used as transport for telephony, i.e. using encapsulation of the voice packets in the Jabber protocol in order to traverse NAT devices.
2. Jabber is based on a client-server paradigm similar to e-mail. Running a Jabber server requires an always-on machine with its own domain name; and, although dynamic DNS can help, the model again tend to be hierarchical, easy to attack etc. That pretty much rules it out also for session initiation, directory/presence etc.
The beauty of Skype, encryption aside, is that it's based on an overlay network solely based on P2P servents, relies (if their FAQ tells the truth) upon NO central registry for presence and directory services, and each client that runs non-NATted can transparently act as reflector supporting NATted users. Plus, all this (including, besides voice, text-based instant messaging) works with zero configuration with an idiotproof UI.
Enzo
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
Hasan Diwan {http://ibn.com/~hdiwan} OpenPGP Fingerprint: 275D 0E84 550C D92A 4A56 732C 8528 2579 E6E9 4842
[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
On May 10, 2004, at 1:30 PM, Jack Lloyd wrote:
Like it matters. Do you really think that the government would really allow Intel and AMD to sell CPUs that didn't have tiny transmitters in them? Your CPU is actually transmitting every instruction it executes to the satellites.
That's a subtle bit of humor, right? ~brian
Like it matters. Do you really think that the government would really allow Intel and AMD to sell CPUs that didn't have tiny transmitters in
Brian Dunbar wrote: them?
Your CPU is actually transmitting every instruction it executes to the satellites.
That's a subtle bit of humor, right?
Whenever this truth is repeated, first revealed here in 1992 by a person who worked at Intel in its early days when it was desperate for government contracts, it is taken to be humorous. The detailed description of the chip broadcasting technology was once retrievable from the cypherpunks archives but the earliest archives have disappeared, possibly with the intent of erasing information on this very topic. The original anonymous explained that Intel was going to be withdrawn as a public company and do only black work for governments, not only the US. That that is likely to have happened except that a public shell was allowed to continue and succeed as a cover -- early investors were induced to keep this quiet with bountiful payouts, among them former Intel employees. What remains of this story on the Internet is a bowderlized version of the original truth, sometimes commingled with Tempest apochryphia -- Tempest the fountain head of dissimulation about electromagnetic transmitting technology more fancifully described than told the truth about. As a corollary AMD is an illusory chip fabricator, set up and fed by Intel to give the appearance of competition. There are others to delude foreign customers into trusting their homegrown.
John Young (2004-05-11 00:09Z) wrote:
Like it matters. Do you really think that the government would really allow Intel and AMD to sell CPUs that didn't have tiny transmitters in
Brian Dunbar wrote: them?
Your CPU is actually transmitting every instruction it executes to the satellites.
That's a subtle bit of humor, right?
Whenever this truth is repeated, first revealed here in 1992 by a person who worked at Intel in its early days when it was desperate for government contracts, it is taken to be humorous. ... What remains of this story on the Internet is a bowderlized version of the original truth, sometimes commingled with Tempest apochryphia --
Truth like this? ----Forwarded----
From cypherpunks@MHonArc.venona Wed Dec 17 23:17:14 2003 From: tcmay@netcom.com (Timothy C. May) Date: Thu, 18 Feb 93 10:50:25 PST To: cypherpunks@toad.com Subject: Re: Trapdoors Message-ID: <9302181848.AA20187@netcom.netcom.com> MIME-Version: 1.0 Content-Type: text/plain
How do we know the proposed legislation wasn't just a smoke screen? Isn't it possible that the Feds have already compromised Intel or MicroSoft? Is there some way to be sure that the new 486 chip running your computer isn't recording each PGP or RSA private key you generate?
Sandy has discovered the deep dark secret of crypto! I worked for Intel from 1974 to 1986 and can confirm this to be the case. Every crypto key is secretly recorded by Intel microprocessors. Motorola processors do not yet record keys, which I why use a Macintosh. The specific instruction is the so-called "NSA instruction" which John Gilmore identified some time ago. Sun Microsystems was ordered by the NSA to redesign their chips to capture keys, which is why the SPARC processor was introduced. SPARC stands for "Sun Processor Allowing Remote Capture." Once the keys have been captured and stored on the user's hard disk (notice how the drives occasionally turn on a night?), they are forwarded to the NSA and National Surveillance Organization by "screen saver" programs, like "After Dark," which were actually written by the Berkeley Microsystems cut-out operation of the NSO. Real hackers don't use cutesy screen saver programs. This new automated system is much more convenient than the previous system, where the FBI and NSO had to break into homes and offices in order to retrieve the keys the Intel processors had recorded. ----End---- -- "Not your decision to make." "Yes. But it's the right decision, and I made it for my daughter." - Bill, Beatrix; Kill Bill Vol. 2
Like it matters. Do you really think that the government would really allow Intel and AMD to sell CPUs that didn't have tiny transmitters in them? Your CPU is actually transmitting every instruction it executes to the satellites.
That's why you keep your CPU under your tin-foil hat, isn't it? Certainly works for me... Bill Stewart bill.stewart@pobox.com
At 01:40 PM 5/10/04 -0500, Brian Dunbar wrote:
On May 10, 2004, at 1:30 PM, Jack Lloyd wrote:
Like it matters. Do you really think that the government would really allow Intel and AMD to sell CPUs that didn't have tiny transmitters in them? Your CPU is actually transmitting every instruction it executes to the satellites.
That's a subtle bit of humor, right?
Actually, pretty much all unshielded computer hardware effectively has a transmitter in it. Google for "side-channel attacks" "DPA" and "TEMPEST" for more info. That's not a matter of transmitting to the satellites, but it may be a matter of transmitting to the van parked outside your house....
~~brian
--John Kelsey, kelsey.j@ix.netcom.com PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259
participants (9)
-
Bill Stewart -
Brian Dunbar -
Eugen Leitl -
Hasan Diwan -
Jack Lloyd -
John Kelsey -
John Young -
Justin -
Thomas Shaddack