Can Skype be wiretapped by the authorities? (fwd from em at em.no-ip.com)

Hasan Diwan hdiwan at mac.com
Mon May 10 11:14:49 PDT 2004 

     AES is the American Encryption Standard, formerly known as 
Rijndael. Does anyone really think the US Government would be so daft 
as to adopt an algorithm they don't know how to break?
On May 9, 2004, at 1:36 PM, Eugen Leitl wrote:

> ----- Forwarded message from Enzo Michelangeli <em at em.no-ip.com> -----
>
> From: "Enzo Michelangeli" <em at em.no-ip.com>
> Date: Thu, 29 Apr 2004 20:01:57 +0800
> To: <cryptography at metzdowd.com>
> Cc: "Axel H Horns" <axel.h.horns at gmx.net>
> Subject: Re: Can Skype be wiretapped by the authorities?
> X-Mailer: Microsoft Outlook Express 6.00.2800.1409
>
> ----- Original Message -----
> From: "Axel H Horns" <axel.h.horns at gmx.net>
> To: <cryptography at metzdowd.com>
> Sent: Wednesday, April 28, 2004 4:49 AM
> Subject: Can Skype be wiretapped by the authorities?
>
>
>> Is something known about the details of the crypto protocol within
>> Skype? How reliable is the encryption?
>>
>> See e.g.
>>
>> http://www.financialcryptography.com/mt/archives/000076.html
>>
>> Can Skype be wiretapped by the authorities? With collaboration of the
>> Skype operator? Without?
>
> What do you mean with "operator"? AFAIK, the system is fully 
> peer-to-peer
> (http://www.skype.com/skype_p2pexplained.html ).
>
> Regarding the crypto, at http://www.skype.com/help_faq.html#Technical 
> they
> say:
>
>  What type of encryption is used?
>
>  Skype uses AES (Advanced Encryption Standard) - also known as Rijndel
>  - which is also used by U.S. Government organizations to protect
>  sensitive, information. Skype uses 256-bit encryption, which has a
>  total of 1.1 x 1077 possible keys, in order to actively encrypt the
>  data in each Skype call or instant message. Skype uses 1536 to 2048
>  bit RSA to negotiate symmetric AES keys. User public keys are
>  certified by Skype server at login.
>
> OK, so "Rijndael" is misspelled and the RSA-based key exchange does not
> provide forward secrecy, but apart from that it doesn't smell like 
> snake
> oil. Not too bad, at least.
>
> BUT, unfortunately, the implementation is closed source, so there are 
> no
> guarantees that the software is not GAKked. And yes, definitely an
> opensource (and multiplatform) alternative would be a cool thing to 
> have.
> A message I posted a while ago to the list p2p-hackers was reposted by
> Eugene Leitl to cypherpunks
> (http://www.mail-archive.com/cypherpunks@minder.net/msg81814.html ) but
> the couple of followups it elicited didn't seem to center the issues I
> raised. I didn't reply then because I'm not a subscriber of cypherpunks
> any longer, so I'd like to take this occasion for doing it here now:
>
> Major Variola (ret) commented (indented lines, followed by my comment):
> [...]
>> Skype claims to use RSA-based key exchange, which is good for
>> multi-party conferencing but does not preserve forward secrecy.
>> Maybe some variant of ephemeral D-H authenticated by RSA
>> signatures, with transparent renegotiation every time someone
>> joins the conference, could do the job better.
>
>  RSA (ie persistant keys) may be an option but MUST NOT be
>  required, for secrecy reasons as mentioned.  (At worst RSA keys
>  can be used once, then discarded.  Lots of primes out there :-)
>
> Well, I don't see why RSA signatures (only for authentication of the 
> key
> exchange) could endanger forward secrecy.
>
>  Also, this is *voice*, ie biometric auth,
>  so public-key-web-o-trust verislime scam is
>  unnecessary at best.
>
> It's not only voice, it's also IM-style text chat. And even with voice,
> biometric authentication becomes awkward to use with conference calls.
>
> [...]
>> One could always implement a brand new
>> network, using Distributed Hash Table algorithms such as Chord or
>> Kademlia,
>
>  We don't give a flying fuck as to which shiny new algorithm you use,
>  although were we a graph theory wonk, we might care.
>
> The issue here is that DHT algorithms allow to implement a fully
> distributed directory, which means one much more resistant to attacks
> (especially from institutional attackers) than implementations based on
> centralized servers (see, in a related fild, the different destinies of
> Napster and its distributed successors such as Overnet or the less
> efficient Gnutella). Still, a full search takes O(log(n)) steps, making
> them practical for implementing directory/presence services.
>
> [...]
>> but it would be much easier to rely from the very beginning upon
>> a large number of nodes (at least for directory and presence
>> functionality, if not for the reflectors which require specific
>> UDP code).
>
>  What the NAT world (yawn) needs is free registry services
>  exploitable by any protocol.  Those NAT-users with RSA-clue can
>  sign their registry entry.
>
> Not only that: NATted agents cannot be "called" unless they first 
> register
> with some reflector on the open Internet. And centralized reflectors 
> are,
> again, easy to attack, and also expensive to operate, as the bandwidth
> requirements are substantial (all the traffic flows through them): see
> e.g. John Walker's analysis of the reasons that led him to abandon
> SpeakFreely at http://www.fourmilab.ch/speakfree/ .
>
> Thomas Shaddack suggested to leverage on Jabber, but:
>
> 1. Jabber uses TCP as transport, and therefore can't be efficiently 
> used
> as transport for telephony, i.e. using encapsulation of the voice 
> packets
> in the Jabber protocol in order to traverse NAT devices.
>
> 2. Jabber is based on a client-server paradigm similar to e-mail. 
> Running
> a Jabber server requires an always-on machine with its own domain name;
> and, although dynamic DNS can help, the model again tend to be
> hierarchical, easy to attack etc. That pretty much rules it out also 
> for
> session initiation, directory/presence etc.
>
> The beauty of Skype, encryption aside, is that it's based on an overlay
> network solely based on P2P servents, relies (if their FAQ tells the
> truth) upon NO central registry for presence and directory services, 
> and
> each client that runs non-NATted can transparently act as reflector
> supporting NATted users. Plus, all this (including, besides voice,
> text-based instant messaging) works with zero configuration with an
> idiotproof UI.
>
> Enzo
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to 
> majordomo at metzdowd.com
>
> ----- End forwarded message -----
> -- 
> Eugen* Leitl <a href="http://leitl.org">leitl</a>
> ______________________________________________________________
> ICBM: 48.07078, 11.61144            http://www.leitl.org
> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
> http://moleculardevices.org         http://nanomachines.net
>
Hasan Diwan {http://ibn.com/~hdiwan}
OpenPGP Fingerprint: 275D 0E84 550C D92A 4A56  732C 8528 2579 E6E9 4842

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

More information about the cypherpunks-legacy mailing list