[Clips] Skype Use May Make Eavesdropping Passe
R. A. Hettinga
rah at shipwright.com
Thu Feb 16 14:47:29 PST 2006
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Thu, 16 Feb 2006 17:46:08 -0500
To: Philodox Clips List <clips at philodox.com>
From: "R. A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Skype Use May Make Eavesdropping Passe
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://sfgate.com/cgi-bin/article.cgi?file=/n/a/2006/02/16/financial/f124235S76.DTL&type=printable>
Skype Use May Make Eavesdropping Passe
- By PETER SVENSSON, AP Technology Writer
Thursday, February 16, 2006
(02-16) 12:42 PST NEW YORK, (AP) --
Even as the U.S. government is embroiled in a debate over the legality of
wiretapping, the fastest-growing technology for Internet calls appears to
have the potential to make eavesdropping a thing of the past.
Skype, the Internet calling service recently acquired by eBay Inc.,
provides free voice calls and instant messaging between users. Unlike other
Internet voice services, Skype calls are encrypted - encoded using complex
mathematical operations. That apparently makes them impossible to snoop on,
though the company leaves the issue somewhat open to question.
Skype is certainly not the first application for encrypted communications
on the Internet. Secure e-mail and instant messaging programs have been
available for years at little or no cost.
But to a large extent, Internet users haven't felt a need for privacy that
outweighed the extra effort needed to use encryption. In particular, e-mail
programs such as Pretty Good Privacy have been considered too cumbersome by
many.
And because such applications have had limited popularity, their mere use
can draw attention. With Skype, however, criminals, terrorists and other
people who really want to keep their communications private are
indistinguishable from those who just want to call their mothers.
"Skype became popular not because it was secure, but because it was easy to
use," said Bruce Schneier, chief technology officer at Counterpane Internet
Security Inc.
Luxembourg-based Skype was founded by the Swedish and Estonian
entrepreneurs who created the Kazaa file-sharing network, which has been
the subject of several court actions by the music industry.
Skype's software for personal computers is distributed for free. Members
pay nothing to talk to each other over PCs but pay fees to connect to
people who are using telephones. Skype software is also being built into
cell-phone-like portable devices that will work within range of wireless
Internet "hot spots."
While still somewhat marginal in the United States, Skype had 75 million
registered users worldwide at the end of 2005. Typically, 3 million to 4
million users are online at the same time.
Skype calls whip around the Internet encrypted with "keys," which
essentially are very long numbers. Skype keys are 256 bits long - twice as
long as the 128-bit keys used to send credit card numbers over the
Internet. The security is much more than doubled - in theory, Skype's
256-bit keys would take trillions of times longer to crack than 128-bit
keys, which are themselves regarded as practically impossible to break by
current means.
"It is a pretty secure form of communication, which if you're talking to
your mistress you really appreciate, but if Al Qaida is talking over Skype
you have probably a different view," said Monty Bannerman, chief executive
of Verso Technologies Inc. His company makes equipment for Internet service
providers, including software that can identify and block Skype calls.
Security experts are not completely convinced that Skype is as secure as it
seems, because the company hasn't made its technology open to review. In
the cryptographic community, opening software blueprints to outsiders who
can point out errors is considered to be the safest way to go. Because of
the complex mathematics involved, a properly designed cryptographic system
can be unbreakable even if its method is known to outsiders.
But according to Schneier, if Skype's encryption is weaker than believed,
it still would stymie the kind of broad eavesdropping that the National
Security Agency is reputed to be performing, in which it scans thousands or
millions of calls at a time for certain phrases. Even a weakly encrypted
call would force an eavesdropper to spend hours of computer time cracking
it.
Kurt Sauer, Skype's chief security officer, said there are no "back doors"
that could let a government bypass the encryption on a call. At the same
time, he said Skype "cooperates fully with all lawful requests from
relevant authorities." He would not give particulars on the type of support
provided.
The U.S. Justice Department did not respond to questions about its views on
Skype's encryption.
Verso's Bannerman notes that Skype calls are decrypted if they enter the
traditional telephone network to communicate with regular phones, so a
conversation could be intercepted there. Skype does not reveal how many of
its calls run on the phone network.
"There are other ways of getting at the conversation than brute-force
decryption of the hacking," Bannerman said.
Schneier believes that eavesdropping on the content of calls is not as
important to the NSA as tracking the calls, which is still possible with
Skype. For instance, if a particular account were associated with a
terrorist or criminal, it would be possible to identify his conversation
partners.
"What you and I are saying is much less important than the fact that you
and I are talking," Schneier says. "Against traffic analysis, encryption is
irrelevant."
Steve Bannerman, vice president of marketing at Narus Inc. (he is unrelated
to Verso's Bannerman), said his company's systems enable wiretapping of
voice calls routed over the Internet, but not those from Skype.
The most that Narus' technology, which is used by telecommunications
carriers, can do is identify what type of Skype traffic - voice call, text
chat or video conference - is being used, and record the scrambled data for
law enforcement officials. From there, he said, "who knows what those guys
can do?"
___
On the Net:
A primer on public-key cryptography:
www.rsasecurity.com/rsalabs/node.asp?id2165
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list