Skype Security and Privacy Concerns

CDMA_Demo writes "Scott Granneman at Security Focus is discussing the security and privacy issues thanks to eBay's acquisition of Skype. Says the help section on Skypke's website: 'Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 10⁷⁷ possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.' Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim. Further, from the article: 'At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.' This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.'"

Good encryption or not..

[lightyear4]

Good encryption or not, I'd be more worried about the recent moves of the FCC to allow law enforcement virtual wiretap access. Our freedoms have eroded enough as of late, and it is disconcerting to say the very least. Here is the relevant link from the article and from the eff

Re:1.1 x 1077 possible keys

[jatemack]

Actually, here is the break down..

• 128-bit key = 3.4 x 1038 keys
• 192-bit key = 6.2 x 1057 keys
• 256-bit key = 1.1 x 1077 keys

AES-128 has 1021 more keys than DES-56
At one DES key recover per second, AES key recovery would take 149 trillion years.

Re:Where's the DCMA?

[generic-man]

Dear Asm,

I can assure that the Dutch Country Music Association is not involved with this acquisition.

(Perhaps you mean DMCA)

Sincerely,
Kimo von Oelhoffen
President, Dutch Country Music Association

Re:Is there even a coherent thought here?

Like Phil Zimmerman's upcoming not yet released zFone?

Re: 1.1 x 1077 keys?

Who uses 1024 bit RSA to secure 256 bit AES? You need about 3000 bit RSA keys for the same equivalent time to break 256 AES. 1024 bit RSA isn't even really considered "very secure" anymore, mostly "sorta secure, for the time being"

Re:Rub those elbows

Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.'

Bull-fucking-shit. The company I work for found a piece of stolen hardware ($20,000+) listed on Ebay that we IDed with a very, very high probability belonged to our company (we had photos, serial numbers, etc). The seller was local to us, and the equipment was in a configuration that our vendor specified was NEVER ordered by any other client in the entire country (easily verified visually from the photos posted by the seller) .

Ebay was of absolutely, 100% no fucking help whatsoever. They wouldn't do shit without a court order, not even for the cops investigating our case (and we didn't have a whole lot of time because the auction was close to ending by the time we found out about it).

We finally managed to get the gear back through our own internal investigations and with some clever work by our employees, but with no thanks to, and no help from Ebay.

So I think what they're saying here is that if the Feds ask on the most flimsy of pseudo-evidence, and it involves invading a user's privacy, they'll happily spill everything in a moment's notice.

If however, you are someone trying to get your stolen goods back, Ebay will do everything possible to prevent you, or the police investigating your case getting any information at all.

Why not Diffie Hellman

[grahamsz]

Seems odd to use RSA to negotiate a private key. Obviously it can be implemented securely that way, but it sounds like someone chasing buzzwords.

RSA suggests that the client is preprogrammed with the server's public key, and perhaps their key-exchange involves the client making up the key, encrypting it with the servers public key and sending it to the server. In which case a trojan client might easily be made to connect to a man in the middle.

Re:Isn't that the way ...

[Darren.Moffat]

The regulations on export of crypto changed significantly in the last few years. There is now generally no problem exporting AES256 or even Blowfish448 from the US.

There are also regulations about how much content is of US origin, if there is less than 10% the regulations can be relaxed. Off shoring doesn't help if the parent company is still a US entity.

These days the bigger problem with stronger crypto like AES256 is import into some countries rather than export from the US.

Re:Skype also opens up port 80 and 443 by default

[moro_666]

since when is opening a tcp/ip port a security hole ?
it's only a hole when your application listening on
the port is buggy and hackable not when the port is
opened up lol

if every open port is a serious security hole for you
, you should see a doctor. and by the way, if you want
your ports to be closed or otherwise specially handled,
get a firewall (a simple iptables setup will do), that's
what they are for...

you can't rely on applications not opening a port, almost
every networking application that has to receive data from
unknown external hosts (e.g. your chat friends) opens ports.
even msn does it ... do you feel hacked now ?

[oops, writing this note just made an outgoing tcp/ip socket]
[from my machine, i'm all hacked & cracked now, damn u!]

They used to pretend it was about Commies

[billstewart]

The US Export Laws that we mostly got rid of in the 90s were originally there to keep Commies from getting critical technology. Didn't matter that the Soviet Empire had already collapsed, or that important cryptographic stuff had been invented and/or rediscovered out in the public world (academic mathematicians, mainly), the FBI kept trying to claim they should be able to prevent the public from using it because that might let Commies get it. The Cypherpunks movement was a major player in getting the laws mostly overturned or scaled back, with people like John Gilmore funding lawsuits against the government and lots of people inventing and publishing critical technology and cracking government-approved technology to show how inadequately weak it was, Phil Zimmermann publishing PGP for free so everybody could use it, university FTP sites in Finland publishing implementations of DES and similar code. Netscape made a major major difference by including crypto in their web browser, and the commercial pressure for credit-card transactions on the Internet made it impossible to herd the cats back into the bag.

The technology export laws aren't entirely gone - we recently saw them interfering with the Spaceship One crowd trying to work with Virgin Galactic, who are Suspicious Foreigners from Great Britain.