Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Protocol Has Been Cracked

Posted by ryuzaki0 on from the rising-in-the-east dept.

nsrCZ writes "The Skype core protocol has been reverse-engineered by a Chinese company. The interesting thing is, that although the protocol is closed, it is not patented and thus it is not against the law to crack it. If it's true, then it could affect the whole eBay/Skype business in many ways, including that they might not get their piece of the emerging Chinese cake." From the article: "By cracking the Skype protocol, the company claims it can also block Skype voice traffic, Paglee said. 'They could literally turn the lights off on Skype in China very, very quickly,' said Paglee, who is also a lawyer and engineer, speaking from California on Friday. The company could transfer the technology to the Chinese government, which has continually sought ways to tighten its filtering and control over the Internet. So far, the company doesn't have any plans to market its blocking capabilities, Paglee said."

10 of 279 comments (clear)

  1. It could indeed. by Rob+T+Firefly · · Score: 5, Funny
    The company could transfer the technology to the Chinese government
    In other news, my front door could be unlocked with my house key, I could inhale the next time I need oxygen, and water could cause things it touches to become wet.
    --
    Slashdot Burying Stories About Slashdot Media Owned
  2. Re:Tapping by Barsema · · Score: 5, Informative

    From TFA :

    The company, however, has not been able to decrypt the phone calls passing through those computers and listen in because of the complicated encryption keys used during calls, Paglee said.

    So I guess not.

  3. Patents != legally uncrackable by Aim+Here · · Score: 5, Informative

    The article submitter seems to be a lot confused regarding the law. There's nothing unlawful about cracking a patented algorithm. It might be unlawful to market a device using the same encryption, in those parts of the unfree (softwarewise) world where software patents are implemented, but that's a different thing.

    Cracking encryption algorithms is generally only unlawful where the encryption is a method of encrypting copyrighted material, AND the country involved has implemented some variant of the DMCA or EUCD. That's the legal machinery that DVD Jon had problems with. The Skype Protocol won't be covered by DMCA-like provisions.

  4. Re:Blocking by Anonymous Coward · · Score: 5, Informative

    Excerpt from http://lists.grok.org.uk/pipermail/full-disclosure /2005-November/038646.html :

    *********

    1) Skype will initially attempt to contact supernodes, the IPs of which
    are in a file stored along with the other files that Skype installs. The
    first method of contact is direct. The source ports that Skype attempts
    to connect from are non-default ports. From my observations I could see
    that the UDP source port 1247 is the initial control channel. Once the
    connection is established, the rest of the communications is done in TCP
    over non-default source ports with ranges sweeping from 2940-3000.
    In general, any company that is serious about its security policy would
    have strict egress filtering rules, which makes identifying the
    non-default source/destination ports that Skype uses irrelevant since
    they would be blocked anyway.

    2) If the above fails, Skype will use the proxy server specified in Internet
    Explorer, and attempt to tunnel the traffic over port 443 using the SSL
    protocol. The destination IPs are of course random as above, which makes
    destination blocking out of the question. The only option left is to
    block SSL,
    which is not really a solution, unless you want to end up excluding all
    legal SSL destinations.
    Deleting the user's proxy settings would also disallow Skype from
    connecting. That would however leave the user without internet access.
    Even if the user had no proxy settings, and the proxying was done
    transparently (which would definitely include proxying http and https
    traffic), the Skype traffic (SSL) would again be transparently proxied,
    which puts us back at square one.

    ********

    The aforementioned link however speaks of a somewhat twisted method of blocking out skype by restricting outbound HTTPS to only the requests adressed by FQDN.

    Perhaps Skype will eventually just use SSL over 443 for the whole of the communication in order to establish connections, which is quite an effective method of bypassing any kind of firewall or filter put in place by a corporation. And the same technique holds true for any other "undesirable" protocol. With VPNs now starting to use SSL over 443 to evade restrictive outbound ACLs, it's getting more difficult to restrict what leaves your network.

  5. Re:Innovation by sholden · · Score: 5, Insightful

    Because the US respected all the British IP in its early days.

  6. Literally by RPoet · · Score: 5, Funny
    They could literally turn the lights off on Skype in China very, very quickly

    No, they could metaphorically turn the lights off on Skype in China very, very quickly.
    --
    "Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
  7. Re:Tapping by Antique+Geekmeister · · Score: 5, Interesting

    I agree with you. Skype, due to its central corporate authentication of the RSA keys for customers, is ripe for law-enforcement mandated man-in-the-middle attacks. Without publising their protocol and any safeguards they've embedded in it, such as a public RSA key repository similar to those used by many GPG users, it's technologically easy for them to authenticate a centralized key upon request for NSA, CIA, FBI, or my aunt-Matilda-if-she-asks-them-nicely tap in the center of any conversation connection.

    For all such transactions, whether they are SSL, SSH, or some proprietary technology like Skype, you have to trust the site that holds the server keys or the people that write the software not to embed backdoors or fake keys to allow tapping. There are even technical reasons to permit such forgery: web-proxies for high-availability banking transactions, for example, may want to have their SSL keys multi-hosted. I've sat in on discussions about exactly that sort of approach and its security consequences.

    Anyone who assumes that Skype conversations is immune from a legal wiretap order or even an unconstitutional Patriot Act order that Skype dare not publish due to the Patriot Act's nature is engaging in wishful thinking. If you want real end-to-end encryption, you have to have personal control of the key exchange. In fact, that's how PGPphone used to work, if you can still lay your hands on a copy of it. It just never got broadly enough deployed, or provided the convenience and computer->cheap telephone call services that Skype provides.

  8. Further Clarification. by pavon · · Score: 5, Informative
    Patenting something does not prevent anyone from reverse engineering it, and in fact they wouldnt need to because the mechanism would be documented in the patent.
    Well no, because you can't patent a protocol. Instead they could patent a core method upon which the protocol is based, and that method would be made public - in non-specific legalese, that would in itself be practically useless for the purpose of implementing the protocol. The details of the protocol itself would still need to be reverse engineered.

    You are absolutely right about reverse engineering not being illegal. In fact even with the DMCA reverse engineering is still entirely legal. The catch with both the DCMA and patents is what you can do with the protocol once it has been reverse-engineered. In the case of patents, the basic priciples have been disclosed, and you are allowed to distribute any additional information that you learn about the implementation, but you are not allowed to implement the protocol without a patent license.

    In the case of the DCMA, you may be* prohibited from disiminating information that you have reverse-engineered, if can be used to circumvent a copyright protection device. I don't think that would apply in this case - what copyrighted work is being protected? The only possibility are the conversations themselves, but this does not allow you to listen in on anothers conversation, it simply allows you to initiate new coversations. Assuming that you are using secure cryptography, revealing the mechanism of the encryption does not weaken the security of the system, only revealing the keys, which in this case are generated per connection, like SSL.

    So unless Skype's security is crap, which I don't believe to be true, the DMCA would not restrict you from publishing the details of the protocol, or third party implementations of it. On the other hand patents could. Therefore, the submitter was correct in bringing them up as a potential barrier, even if his wording was not.

    * The law contradicts itself, and while there have been some precident setting cases, the interpretation is still very much up in the air.
  9. Re:Innovation by Em+Ellel · · Score: 5, Insightful

    Skype should have patented its technology, but it's not like the Chinese respect IP anyway.

    Erm, ok, if they patent it, don't they have to disclose details of it? Kinda defeats the purpose of having a secret closed protocol that Skype wanted. I think there might be a better way to protect IP, via "trade secret" or something like it, but I am no specialist in the area :-)

    -Em

    --
    RelevantElephants: A Somatic WebComic...
  10. Re:Innovation by kfg · · Score: 5, Insightful

    Even if our ancestors were also "wrong". . .

    IF our ancestors were also wrong. . .

    It remains to show they were wrong, and in doing so you necessarily question the legitimacy of the USA's sovereignity. We were signatory to no treaties to "respect" British IP and our ip laws still differ. It took a special act of Congress to partially respect the British copyright of Peter Pan (which is, in effect, in perpetuity, forbidden by the US Constitution).

    If and when China does not respect American ip they are wrong because we are both signatory to the Berne Convention treaty, even if we were both wrong to do so.

    And bearing in mind that the current administration has declared that treaties it has willfully signed are not binding upon it, as that violates American legal sovereignity. Yes, the Supremes have recently bitch slapped them over that, but the current adminstration seems to be gearing itself up to treat that as a legal opinion not actually binding upon it.

    And herein lies the real damage that has been done to America's international standing in the past few years. If we declare null and void international law to which we are signatory on war, torture and due process why the fuck should anyone respectfully decline to copy Pauly Shore movies, no matter how cruel that is?

    KFG