[Clips] Is Skype a haven for criminals?

R. A. Hettinga rah at shipwright.com
Sun Feb 19 19:59:44 PST 2006 

--- begin forwarded text


  Delivered-To: clips at philodox.com
  Date: Sun, 19 Feb 2006 22:58:24 -0500
  To: Philodox Clips List <clips at philodox.com>
  From: "R. A. Hettinga" <rah at shipwright.com>
  Subject: [Clips] Is Skype a haven for criminals?
  Reply-To: rah at philodox.com
  Sender: clips-bounces at philodox.com

  <http://arstechnica.com/news.ars/post/20060217-6206.html>



  Is Skype a haven for criminals?

  2/17/2006 1:10:55 PM, by Nate Anderson

  >From a law enforcement point of view, digital communication is a two-edged
  sword. On the one hand, it allows for the simple collection, sorting, and
  processing of massive amounts of information (such as in the FBI's
  Carnivore system), but on the other hand, it is much easier for users to
  encrypt their communications with almost unbreakable codes. Now that VoIP
  calls are becoming commonplace, governments around the world are struggling
  to adapt to the new technology, and Skype has found itself under extra
  scrutiny.

  The reason is that Skype uses 256-bit, industry-standard AES encryption
  that is nearly impossible to break without the key. The Skype privacy FAQ
  explains the system this way:

  "Skype uses AES (Advanced Encryption Standard) - also known as Rijndael -
  which is also used by U.S. Government organizations to protect sensitive,
  information. Skype uses 256-bit encryption, which has a total of 1.1 x
  10^77 possible keys, in order to actively encrypt the data in each Skype
  call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES
  keys. User public keys are certified by the Skype server at login using
  1536 or 2048-bit RSA certificates."

  All Skype traffic is automatically encrypted end-to-end without requiring
  any user intervention, and this encryption is posing a problem to
  authorities who need (or want) to listen in on conversations. Skype
  executives state that their software is free of all backdoors, and a
  security researcher who saw some (but not all) of the code agrees. Still,
  the company claims that it "cooperates fully with all lawful requests from
  relevant authorities," which may mean that they turn over keys to
  governments upon request.

  The call can also be tapped once it leaves the Skype system and enters the
  normal telephone network, so calls to a landline are inherently insecure.
  Still, strong AES encryption is enough to defeat real-time surveillance of
  telephone calls of the kind possibly used by the NSA. That doesn't mean
  that nothing can be gleaned from watching the traffic, which can be used to
  identify who the call is routed to and how long it lasts, but it does mean
  the contents of the call remain secure.

  Rather than being a new issue for law enforcement, though, this is actually
  just a new version of an old problem: how to access encrypted data on a
  suspect's computer? Encryption algorithms have been good enough for some
  time to prevent all but the most determined brute force attacks, but there
  are obviously other ways of solving the problem. For the FBI, keyloggers
  are a popular choice; they obviate the need for backdoors or for
  sophisticated computer solutions. They simply steal the password. The same
  (metaphorical) approach may give them access to Skype calls; rather than
  breaking the encryption, they simply grab the key and decrypt the data.

  The FCC ruled last year that VoIP providers need to offer backdoors into
  their systems for wiretapping reasons, but Skype isn't based in the US and
  so is not subject to the rule. It is subject to the EU's new Data Retention
  Directive, though, which may require them to retain call logs and
  decryption keys for a period of time. If so, real-time monitoring of Skype
  calls would still be out, but after-the-fact review of recorded calls from
  people of interest might well be possible for the government.

  --
  -----------------
  R. A. Hettinga <mailto: rah at ibuc.com>
  The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
  44 Farquhar Street, Boston, MA 02131 USA
  "... however it may deserve respect for its usefulness and antiquity,
  [predicting the end of the world] has not been found agreeable to
  experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
  _______________________________________________
  Clips mailing list
  Clips at philodox.com
  http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list