Skype Encryption (Partly) Revealed

← Back to Stories (view on slashdot.org)

Skype Encryption (Partly) Revealed

Posted by timothy on Thursday July 8, 2010 @09:48AM from the skyping-ahead dept.

TSHTF writes "Just weeks after Skype unveiled a public API for the service, a group of cryptographers led by Sean O'Neill have successfully reverse engineered the encryption used by the Skype protocol. Source code is available under a non-commercial license which details Skype's implementation of the RC4 cipher." The linked article cautions, however, that "initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure."

151 comments

So, if I'm reading this right... by Reilaos · 2010-07-08 09:51 · Score: 1, Insightful

We're on the way to getting 3rd party Skype applications. Neat.
1. Re:So, if I'm reading this right... by aliquis · 2010-07-08 10:03 · Score: 5, Insightful
  
  You know what would be neater? Something not based on a proprietary system, and there are plenty. (Though it could be argued whatever things like SIP is as good.)
2. Re:So, if I'm reading this right... by Anonymous Coward · 2010-07-08 11:02 · Score: 1, Interesting
  
  SIP isn't that great though because there is no encryption. Sure, there is "encryption" like SRTP for SIP but nobody uses it and practically none of the SIP providers support it (quite possibly none support it; I haven't found one at least).
  Plus there is the whole momentum thing, lots of people use Skype because it's dead easy to install and it generally "just works." However, the Skype client sucks donkey balls. It's buggy and difficult to use in a non-GUI environment.
  With that said, I still use VOIP/SIP for my main phone because Skype-IN seriously sucks (when I had it I would guess 50% of calls went to voicemail instead of ringing my phone even though everything was working normally).
3. Re:So, if I'm reading this right... by Profane+MuthaFucka · 2010-07-08 14:34 · Score: 1
  
  And they removed the "skype me" button. I loved that feature, and now it's gone.
  
  --
  Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
4. Re:So, if I'm reading this right... by MartinSchou · 2010-07-08 17:49 · Score: 1
  
  Plenty?
  Okay, here's my "benchmark" for a Skype replacement:
  Must be easy to use: My parents both managed to download, install and create new users in the first attempt - without having to read anything other than the on screen instructions.
  Must be translated properly: My parents don't speak nor read English at all. They're Danish, and in case you're wondering, that's a language spoken by fewer people than live in New York City.
  Must work without fail: Again, should be something mom and dad can get up and running, without having to configure anything other than a username and password.
  Must work on other platforms: Shouldn't matter if you're on Windows, OS X or if your kids set up a Linux machine for you. It should still just work.
  Must support text, file transfers, audio and video: Just like Skype.
  So - your claim was that there were plenty of these. Let's see them.
5. Re:So, if I'm reading this right... by Arancaytar · 2010-07-08 18:27 · Score: 1
  
  A different Skype implementation would still have to implement this encryption algorithm that is suspected to be weak, in order to be compatible.
  A better idea would be to make a new program with encryption that is actually secure.
6. Re:So, if I'm reading this right... by LordVader717 · 2010-07-08 19:05 · Score: 3, Informative
  
  http://ekiga.org/
7. Re:So, if I'm reading this right... by MartinSchou · 2010-07-09 12:40 · Score: 1
  
  One example? I'll take your word on whether or not it's a proper replacement, but one does not a plenty make.
  One only barely covers "some".
8. Re:So, if I'm reading this right... by LordVader717 · 2010-07-10 02:07 · Score: 1
  
  http://en.wikipedia.org/wiki/Comparison_of_VoIP_software#General_softphone_clients
9. Re:So, if I'm reading this right... by LordVader717 · 2010-07-10 02:14 · Score: 1
  
  Or for a more exaustive list: http://lmgtfy.com/?q=sip+client+%2Bvideo+%2Bfile+transfer
  I don't see how this is an issue though. You don't have any choice of Skype clients.
  Ekiga is basically a drop-in replacement for Skype. You can also use any compatible software.
Skype still sucks by Anonymous Coward · 2010-07-08 09:52 · Score: 5, Interesting

It is proprietary, centralized, bloatwared, closed, and bandwidth intensive. Simply fixing one of this is not an improvement on the situation.

Unless you happen to be one of the unfortunate souls whose boss requires all communication to be on skype, then maybe a non-crashy linux client will be your savior.
1. Re:Skype still sucks by iPhr0stByt3 · 2010-07-08 09:55 · Score: 1
  
  Name a decent alternative? I like it for what it CAN do.
2. Re:Skype still sucks by Anonymous Coward · 2010-07-08 09:57 · Score: 0
  
  Oovoo... what do I win?
3. Re:Skype still sucks by Jorl17 · 2010-07-08 10:00 · Score: 3, Interesting
  
  Usually I used skype to voice-chat. Then I realized that mumble was good outside gaming. Now I use mumble to do everything and have my own little chat app to communicate via text. Skype is dead for me. Mumble is bandwidth-saving in some cases and the quality is so vastly superior. The disadvantange is that of a centralized server, but I manage that just fine by using an available server OR running my local one. Sure, for conferences it might be worse in terms of bandwidth (all data going to the server = me), but for 2-3 people it is great. This isn't good for video, though, but I don't need that anyway, and I've heard of good apps to do so.
  
  --
  Have you heard about SoylentNews?
4. Re:Skype still sucks by commodore64_love · 2010-07-08 10:08 · Score: 3, Interesting
  
  >>>Name a decent alternative?
  I use a calling card which is only 5 cents per minute and will work regardless where I'm at (home, hotel, payphone along the highway). I've looked at Skype and think it's a cool idea, but don't see that it would save me money, or be as convenient.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
5. Re:Skype still sucks by Sir_Lewk · 2010-07-08 10:15 · Score: 1
  
  And millions of people got along just fine with Windows ME.
  Just because it works for you, and you like it, doesn't mean that it is good.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
6. Re:Skype still sucks by fuzznutz · 2010-07-08 10:23 · Score: 2, Informative
  
  Pay-phone? Where do you find pay-phones these days? My daughter's brand new high school has no pay-phone anywhere on the premises. In fact, I can't remember the last pay-phone I saw. I work at a University, and there are no pay-phones in any building on campus.
7. Re:Skype still sucks by Colonel+Korn · 2010-07-08 10:35 · Score: 1
  
  >>>Name a decent alternative?
  I use a calling card which is only 5 cents per minute and will work regardless where I'm at (home, hotel, payphone along the highway). I've looked at Skype and think it's a cool idea, but don't see that it would save me money, or be as convenient.
  Skype to Skype calls are free, and Skype calls to the United States cost something like $9 for unlimited minutes over 3 months. Skype calls to phones in Europe are around 1-2 cents per minute.
  
  --
  "I zero-index my hamsters" - Willtor (147206)
8. Re:Skype still sucks by Anonymous Coward · 2010-07-08 10:44 · Score: 1, Insightful
  
  It is proprietary, centralized, bloatwared, closed, and bandwidth intensive. Simply fixing one of this is not an improvement on the situation.
  I like FOSS as much as the next guy but making things open source does not magically eliminates any of these problems. I've seen plenty of FOSS code that suffers from being centralized, bloatwared and bandwidth intensive plus being insecure, badly designed, counterintuitive to use, .... , the list goes on. Bad coders are bad coders no matter where they work.
  
  ...then maybe a non-crashy linux client will be your savior.
  Halleluja!!!
9. Re:Skype still sucks by caseih · 2010-07-08 10:49 · Score: 4, Informative
  
  For me Gizmo5 and sipgate.com provide all the VoIP services I used to use skype for. In fact when I combine Google Voice with either Gizmo5 or sipgate.com, and a Linksys 3102 SPA box, I can not only replace skype, but replace my land line as well. I also do most voice communication at home, so I ditched my cell plan and got a T-mobile prepaid plan. Now if I receive a call via GV on my cell phone, the moment I walk in the door I can transfer it to VoIP.
  If I had an asterisk box set up, I could probably do GV-connected outbound calling automagically from my land phone. At the moment I place most calls via the web interface.
  I know Skype can do IM and video chat, but frankly I never needed that. so yes, SIP is a good alternative. And ekiga can do both SIP and video chatting using open protocols. Works quite great, despite SIP's retardedness.
10. Re:Skype still sucks by xiando · 2010-07-08 10:52 · Score: 1
  
  Name a decent alternative?
  There is a standard called SIP for Internet voicecalls and a vast number of softphone programs, and hardphones, which support it. Call me using Twinkle, Linphone, Ekiga or whatever softphone you want, they all support SIP like my wireless Siemens SIP phone and they all make my phone ring when you dial it.
  
  --
  9/11: Never forget it was a false-flag operation
11. Re:Skype still sucks by Anonymous Coward · 2010-07-08 11:13 · Score: 0
  
  No linux client. Nothing.
12. Re:Skype still sucks by westlake · 2010-07-08 11:18 · Score: 2, Informative
  
  It is proprietary, centralized, bloatwared, closed, and bandwidth intensive.
  maybe a non-crashy linux client will be your savior.
  There are about 500 million Skype accounts.
  40 million or so people using the service on any given day. Skype
  You don't "dial out" to stress-test the technology - you dial out in the hope that someone will be there to answer your call.
13. Re:Skype still sucks by Anonymous Coward · 2010-07-08 11:23 · Score: 0
  
  SIP. Choose the provider you want (there is a lot of them). I use sipnet.ru (Russian) which even allows free calls to skype.
14. Re:Skype still sucks by Jorkapp · 2010-07-08 11:30 · Score: 1
  
  Tell that to all the Apple fan-boys out there.
  
  --
  Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
15. Re:Skype still sucks by commodore64_love · 2010-07-08 11:31 · Score: 1
  
  Turnpike rest stop.
  Gas station.
  McDonalds.
  Or if they don't have one, I use my cellphone but it costs 20 cents a minute so I generally try to use my 5 cent calling card instead. Anyway still don't see the reason to switch to Skype net calling
  .
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
16. Re:Skype still sucks by Anaerin · 2010-07-08 12:20 · Score: 1
  
  Did they drop their plans to charge for video calling, then? And where's the linux client? Or the OSX one? Or the handheld Wi-Fi Oovoo devices?
17. Re:Skype still sucks by Pentium100 · 2010-07-08 13:27 · Score: 1
  
  Does it support text chat? I use Skype mainly for text chat, but sometimes I also call and use it as voice chat for games (not having the voice chat app and the game on the same computer is helpful).
18. Re:Skype still sucks by Profane+MuthaFucka · 2010-07-08 14:36 · Score: 1
  
  La Guardia still has a huge bank of pay phones in the American terminal. I've never seen anybody use them this century.
  
  --
  Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
19. Re:Skype still sucks by johanw · 2010-07-08 15:21 · Score: 1
  
  But is has one main advantage over all other clients: decent encryption. When governments start complaining they can't decrypt the calls, like the Indian did, you know you're on the right track.
20. Re:Skype still sucks by Random+Destruction · 2010-07-08 15:45 · Score: 1
  
  your an idiot.
  
  --
  :x
21. Re:Skype still sucks by Anonymous Coward · 2010-07-08 16:50 · Score: 0
  
  You can get those SPA's to work? Shit, you must be pro!
  I've worked at a couple of organizations where they rolled out those SPA's on a relatively large scale, and we couldn't get them to be stable and consistent.
  I wouldn't touch that shit for mission critical stuff.
22. Re:Skype still sucks by Anonymous Coward · 2010-07-08 17:52 · Score: 0
  
  "maybe a non-crashy linux client will be your savior"
  It'll have to be command-line Skype then, because we're sadly still waiting for someone to develop a single linux gui app that has popular appeal or at least doesn't suck royal balls.
23. Re:Skype still sucks by arivanov · 2010-07-08 18:36 · Score: 1
  
  Add to that - its "state of the art cryptography" is highly questionable. RC4 is a prehistoric algo.
  While it is not a bad algo per-se it is extremely easy to f*** up at the implementation level. WiFi is one example of such royal cockup. There are others.
  I would not trust a proprietary system that has not been open to scrutiny to implement RC4 based crypto correctly.
  
  --
  Baker's Law: Misery no longer loves company. Nowadays it insists on it
  http://www.sigsegv.cx/
24. Re:Skype still sucks by sglines · 2010-07-08 23:54 · Score: 1
  
  For me Gizmo5 and sipgate.com provide all the VoIP services I used to use skype for. In fact when I combine Google Voice with either Gizmo5 or sipgate.com, and a Linksys 3102 SPA box, I can not only replace skype, but replace my land line as well. I also do most voice communication at home, so I ditched my cell plan and got a T-mobile prepaid plan. Now if I receive a call via GV on my cell phone, the moment I walk in the door I can transfer it to VoIP.
  If I had an asterisk box set up, I could probably do GV-connected outbound calling automagically from my land phone. At the moment I place most calls via the web interface.
  I know Skype can do IM and video chat, but frankly I never needed that. so yes, SIP is a good alternative. And ekiga can do both SIP and video chatting using open protocols. Works quite great, despite SIP's retardedness.
  ... and sipgate.com has run out of numbers for North America so everyone is SOL.
25. Re:Skype still sucks by Anonymous Coward · 2010-07-09 00:40 · Score: 0
  
  There are about 500 million Skype accounts.
  So, less popular than Windows ME?
26. Re:Skype still sucks by FireFury03 · 2010-07-09 03:05 · Score: 1
  
  You can get those SPA's to work? Shit, you must be pro!
  I've worked at a couple of organizations where they rolled out those SPA's on a relatively large scale, and we couldn't get them to be stable and consistent.
  I wouldn't touch that shit for mission critical stuff.
  Never had a problem with the SPA3102. Seems rock solid, although it does occasionally suffer minor echo but I think that's caused by some odd impedance on my POTS line.
  _However_ I'm not entirely sure why you would use them on a "large scale" - they are perfect for home use or for a small office with a single phone line, but for largish scale stuff you'd be using ISDN on the PSTN side (SS7 or SIGTRAN for even larger stuff) and on the internal side you may as well chuck out your POTS phones and get SIP ones, given the comparative costs of ATAs and SIP phones.
  As an example of small office use: myself and my business partner both work from our respective homes. We have a central Callweaver server and each have an SPA3102 on our POTS lines. Incoming calls on the POTS lines go to our respective phones (both an analogue handset connected to the SPA for emergency use and also SIP phones), outgoing PSTN calls go either via POTS or a commercial SIP-PSTN gateway, depending on the destination. Calls between us go purely over SIP. Customers call a DID which rings both our offices. Calls can be freely transferred between extensions across the whole system, even though the offices are geographically separate.
  There are a few SIP devices that I consider woefully unstable (the UTStarcom F1000G 802.11g phone is the most notably crap device I think), but the SPA3102 isn't one of them.
  
  --
  http://blog.nexusuk.org
27. Re:Skype still sucks by FireFury03 · 2010-07-09 03:11 · Score: 1
  
  Does it support text chat? I use Skype mainly for text chat, but sometimes I also call and use it as voice chat for games (not having the voice chat app and the game on the same computer is helpful).
  SIP does support text chat (although I don't think it is widely supported by the VoIP servers), but what's wrong with XMPP for text chat anyway?
  
  --
  http://blog.nexusuk.org
28. Re:Skype still sucks by commodore64_love · 2010-07-09 03:19 · Score: 1
  
  Yeah well, not completely free. If I trashed the calling card and used my PC to call home to mom or long-distance friends, it would still cost 2.4 cents (they have landline phones). I would save some money but only about $10 a month, and I'd lose the convenience of the calling card which works even when I'm not in front of my computer.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
29. Re:Skype still sucks by FireFury03 · 2010-07-09 03:29 · Score: 1
  
  But is has one main advantage over all other clients: decent encryption. When governments start complaining they can't decrypt the calls, like the Indian did, you know you're on the right track.
  Didn't the Chinese government end up arresting rather a lot of people based on the contents of supposedly encrypted instant messages that had been supplied to them by Skype?
  
  --
  http://blog.nexusuk.org
30. Re:Skype still sucks by Pentium100 · 2010-07-09 04:30 · Score: 1
  
  The need to have multiple programs for basically the same function. Skype can do text chat, file transfer (not great, but still), voice calls, video calls. You can also find new contacts by their username or email.
  If you needs 3 different programs to achieve that then it is likely that you and your friends will start using different possible incompatible programs which will end up with people installing multiple programs because various people will use different programs.
  I now use Google Talk and Skype because some of my contacts prefer one or the other. It would suck if I needed to use 3 different types of programs programs (1 for chat, 1 for file transfers and 1 for voice) but my contacts chose different incompatible programs (as it is now with Skype and GTalk).
  There is also the issue of convincing my contacts to move to another program (and in turn convince their contacts to do the same) especially if Skype and Google Talk are "good enough". That's the difference between these programs and some other software like an office suite or internet browser. Opera, Firefox and OpenOffice (with .doc support) are just as useful even if I am the only one of my acquaintances using them. SkypeReplacement1 - not so much.
31. Re:Skype still sucks by FireFury03 · 2010-07-09 04:53 · Score: 1
  
  I now use Google Talk and Skype because some of my contacts prefer one or the other. It would suck if I needed to use 3 different types of programs programs (1 for chat, 1 for file transfers and 1 for voice) but my contacts chose different incompatible programs (as it is now with Skype and GTalk).
  Generally there is little problem transparently gatewaying between open protocols such as XMPP (which is used by Google Talk, and many other IM services). The reason you are having to use 2 incompatible programs is because Skype is proprietary.
  
  --
  http://blog.nexusuk.org
32. Re:Skype still sucks by TheRaven64 · 2010-07-09 04:54 · Score: 1
  
  Skype charges 1.4p (including VAT) to call a UK landline, my SIP provider (sipgate) charges 1.19p/minute. Because SIP is an open standard, I can use the SIP client built into my mobile phone (Nokia N80 - cheapest phone I could find that supported WiFi) or run one on my computer, irrespective of the OS it is running. The one on my phone integrates with the built-in address book, so I can call over SIP/WiFi when I am in range of an access point or via the mobile network when I am not, via exactly the same interface.
  Sipgate is more expensive than Skype for calls to the US (not surprising, they're not based in the USA), but last time I looked it took ten minutes to find two providers that were cheaper and, because SIP is an open standard, there is competition and I can switch to using a different one trivially if there is a cheaper one.
  Sipgate give me a free number for incoming calls (I can have either a geographic number or an 0845 - lowest rate nongeographical - number), while Skype charges a monthly fee.
  Calls to other SIP users are free, but I'd probably rather use XMPP / Jingle than SIP if I didn't need POTS bridging.
  
  --
  I am TheRaven on Soylent News
33. Re:Skype still sucks by TheRaven64 · 2010-07-10 00:43 · Score: 1
  
  If you don't need POTS bridging, XMPP is a better solution. Google Talk is an implementation of XMPP but, like email, the protocol is federated so you can run your own server (or use someone else's) and talk to any other XMPP users. Jingle is a standard extension to XMPP, which provides support for voice and video calling. There are some Jingle to POTS bridges, but I've not ever tried using one.
  
  --
  I am TheRaven on Soylent News
34. Re:Skype still sucks by Anonymous Coward · 2010-07-14 00:11 · Score: 0
  
  You do realize that this doesn't expose their content right? They used RC4 for their traffic management not the content which uses AES. for something so "easy" it's apparently taken years for anyone to get this far so really that's not so bad.
C&D by pak9rabid · 2010-07-08 09:53 · Score: 2, Insightful

Queue the cease and desist in 3...2...1...
1. Re:C&D by Anonymous Coward · 2010-07-08 10:02 · Score: 0
  
  A C&D for a clean-room reversed engineering of a publicly-available algorithm? Methinks not.
2. Re:C&D by Imagix · 2010-07-08 10:17 · Score: 1
  
  Egad.... yet another person who doesn't know the difference between a line-up and a signal. _Cue_ the C&D in 3... 2... 1...
3. Re:C&D by Anonymous Coward · 2010-07-08 10:23 · Score: 0
  
  Egad.... yet another person who doesn't know the difference between a line-up and a signal.
  _Cue_ the C&D in 3... 2... 1...
  Queue all of the people correcting his mistake in 3...2...1... Preferably after lmagix.
  (cue works there too, fwiw)
  I could care less about a simple mistake.
  And so I will.
4. Re:C&D by omnichad · 2010-07-08 10:31 · Score: 1
  
  If you're going to queue them, go in order: 1. There's only one cease and desist coming, right? If you're counting down, you're probably cueing.
5. Re:C&D by doogledog · 2010-07-08 12:04 · Score: 1
  
  What about that whooshing sound... how much do you care about that?
6. Re:C&D by Anonymous Coward · 2010-07-08 18:34 · Score: 0
  
  Good job, you're retarded.
US Government likely already broke it by Anonymous Coward · 2010-07-08 09:56 · Score: 1, Interesting

This just goes to show the US Govt. already likely has these streams pwnd.
1. Re:US Government likely already broke it by SheeEttin · 2010-07-08 10:24 · Score: 1
  
  Pwnd? I don't doubt they have their own backdoor: https://secure.wikimedia.org/wikipedia/en/wiki/Skype#Privacy
Reverse Engineered by Anonymous Coward · 2010-07-08 09:56 · Score: 0

Isn't reverse engineering such as this a clear violation of the DMCA?
1. Re:Reverse Engineered by omnichad · 2010-07-08 10:36 · Score: 1
  
  If the person who did it was American, or if an American uses the code then sure.
2. Re:Reverse Engineered by omnichad · 2010-07-08 10:39 · Score: 2, Insightful
  
  Oh, this could be used for interoperability - something explicitly allowed under DMCA. It's just like reverse engineering Word's .doc format.
3. Re:Reverse Engineered by cgenman · 2010-07-08 12:02 · Score: 1
  
  The DMCA only covers copyrighted content protection, not things like garage door openers.
  You could argue that the contents of the communication are a copyrighted performance created by the two participants, but it probably wouldn't hold much weight in court.
  
  --
  The ______ Agenda
4. Re:Reverse Engineered by AHuxley · 2010-07-08 12:29 · Score: 1
  
  Yes, make a free app from the clean room effort fine, start a mapping of skype phones in use and keeping data, bad.
  
  --
  Domestic spying is now "Benign Information Gathering"
Well by Irick · 2010-07-08 09:58 · Score: 2, Interesting

Hopefully this means we will see some more 3rd party clients, and maybe some Jabber integration.
sooo... by igadget78 · 2010-07-08 09:59 · Score: 1

Interesting that they use multiple encryption algorithyms for their communication. simple yet apparently effective.
1. Re:sooo... by Sir_Lewk · 2010-07-08 10:13 · Score: 1
  
  As I'm reading TFA, it seems to me it's just a modified version of RC4. Hardly terribly interesting or new.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
2. Re:sooo... by ducomputergeek · 2010-07-08 10:20 · Score: 1
  
  but nothing beats my 10xROT13 cipher! It's encrypted 10 times!. 10 times I tell ya! Try and beat that Citizen Protector....or whatever the NSA is calling it these days...
  
  --
  "The problem with socialism is eventually you run out of other people's money" - Thatcher.
3. Re:sooo... by Fumbili · 2010-07-08 11:49 · Score: 1
  
  but nothing beats my 10xROT13 cipher! It's encrypted 10 times!. 10 times I tell ya! Try and beat that Citizen Protector....or whatever the NSA is calling it these days...
  Mine goes to 11
4. Re:sooo... by cynyr · 2010-07-08 12:41 · Score: 1
  
  hey, i think i'll have to move up to that from my usual quadROT13 cipher...
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
5. Re:sooo... by Anonymous Coward · 2010-07-08 22:22 · Score: 0
  
  you amateurs and your rot13. use rot26 like us real pros.
6. Re:sooo... by infolation · 2010-07-09 01:05 · Score: 1
  
  but nothing beats my 10xROT13 cipher!
  Except my 11xROT13 cipher.
  
  It's, like, one louder.
Wasn't this done years ago? by Wesley+Felter · 2010-07-08 10:03 · Score: 5, Interesting

On the Wikipedia page http://en.wikipedia.org/wiki/Skype_protocol I see presentations from 2004 and 2006 about reversing Skype, including its encryption. What's new here compared to the previous work?
1. Re:Wasn't this done years ago? by AnonymousClown · 2010-07-08 10:43 · Score: 1
  
  On the Wikipedia page http://en.wikipedia.org/wiki/Skype_protocol I see presentations from 2004 and 2006 about reversing Skype, including its encryption. What's new here compared to the previous work?
  Nothing. The references in your links were for academic and industry consumption. The Register article was for public consumption.
  That's about the only thing I can figure.
  
  --
  RIP America
  July 4, 1776 - September 11, 2001
2. Re:Wasn't this done years ago? by girlintraining · 2010-07-08 11:48 · Score: 2, Funny
  
  What's new here compared to the previous work?
  The date.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
3. Re:Wasn't this done years ago? by Threni · 2010-07-08 12:06 · Score: 1
  
  At least this time the Register isn't fallng for another obviously fake 'story'.
4. Re:Wasn't this done years ago? by blair1q · 2010-07-08 12:08 · Score: 1
  
  You mean this time someone's making money on every click, and is probably crapping their piggy-bank upon getting the article submitted to slashdot...
5. Re:Wasn't this done years ago? by Profane+MuthaFucka · 2010-07-08 14:43 · Score: 0, Flamebait
  
  Let me get this straight. Presumably you've known a few journalism students in your lifetime. Probably you've even talked to them too. Most likely you realized what fucking idiots they all are, being incurious types more likely to have a crush on a bartender than a serious engineering student.
  Why are you expecting that a journalist might produce something that you, a person likely of normal or higher intelligence, would find useful?
  
  --
  Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
6. Re:Wasn't this done years ago? by Anonymous Coward · 2010-07-08 16:32 · Score: 0
  
  In Soviet Russia, BARTENDER has crush on YOU!
implications? by Eil · 2010-07-08 10:32 · Score: 3, Insightful

None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known. This is why you can have software like GPG and the zillion open source AES implementations and still use them to reliably protect data from interception.
What would weaken Skype's security was if someone found a shortcut (by way of a bug or design flaw) to decrypting the data without knowledge of the keys being used. According to TFA, this is what the O'Neill is working on now.
That said, the source material that O'Neill provided mentions only symmetric ciphers, which means that the keys might be buried in the Skype binaries somewhere. If that's the case, then finding those would break Skype's encryption wide open. But I rather doubt that will happen. We're only seeing part of the story here and I'd bet dollars to donuts that they're using one or more asymmetric ciphers somewhere to transmit keys for the symmetric ciphers.
1. Re:implications? by Anonymous Coward · 2010-07-08 10:54 · Score: 0
  
  Can't they just derive the symmetric keys from the users password?
2. Re:implications? by 0123456 · 2010-07-08 10:56 · Score: 5, Informative
  
  None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known
  ROT13 isn't secure when it's known.
  Like ROT13, RC4 is an antiquated cipher with many known issues; and a modified version of RC4 could be even less secure than the vanilla implementation. No-one should be using it these days when there are much better alternatives available.
3. Re:implications? by Caledfwlch · 2010-07-08 11:14 · Score: 2, Interesting
  
  There is a positive implication.... it may count partly towards the transparency that the Indian security agencies want ;-)
  
  --
  These views express my own personal opinions, not those of the other voices in my head
4. Re:implications? by Sloppy · 2010-07-08 11:17 · Score: 2, Informative
  
  None of this harms Skype's existing security in any way
  That depends on what you mean by "security." If "security" means having a monopoly on sales of an implementation of a popular protocol... ;-)
  
  We're only seeing part of the story here and I'd bet dollars to donuts that they're using one or more asymmetric ciphers somewhere to transmit keys for the symmetric ciphers.
  The big question about Skype has always been: how are the using the asymmetic stuff? How does each client know whose public key it's using?
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
5. Re:implications? by Wesley+Felter · 2010-07-08 11:18 · Score: 2, Insightful
  
  It's not about security; revealing the protocol hurts Skype's lock-in. For example, the Skype-Asterisk gateway is $66 per channel; imagine if someone created an open source version.
6. Re:implications? by Anonymous Coward · 2010-07-08 12:38 · Score: 0
  
  There is no key. That's the point. It's an IV expansion algorithm. The 32-bit IV is transmitted in clear in the header of the packet. It's an obfuscation layer that relies merely on no one knowing this algorithm. The implications of this publication are quite serious. Vanilla Skype team did not publish this algorithm. There is no key to break to decrypt the traffic.
7. Re:implications? by swillden · 2010-07-08 16:04 · Score: 2, Informative
  
  None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known
  ROT13 isn't secure when it's known.
  ROT13 isn't encryption. It's a trivial unkeyed encoding.
  
  Like ROT13, RC4 is an antiquated cipher with many known issues; and a modified version of RC4 could be even less secure than the vanilla implementation. No-one should be using it these days when there are much better alternatives available.
  RC4 is also a widely-known and deeply-studied cipher. It has some known weaknesses, but workarounds for those weaknesses are also known. It's also very efficient and a stream cipher is the right kind of cipher for this application. I agree that there are better alternatives, but unless they mucked up the implementation, there's every reason to believe that Skype's encryption is secure.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:implications? by BitZtream · 2010-07-08 16:06 · Score: 1
  
  ROT13 is an acceptable form of encryption even when everyone knows what it is, assuming that the third party that isn't supposed to see it can't see it before its useless.
  No encryption is perfect. All are 'breakable' in the loosest sense of the word. The question is can you decrypt the data before it is of no value to decrypt it.
  Considering 99.9999999999999999999999999% of the traffic sent using the Skype protocol has no value to anyone other than the parties involved anyway than the strength of the encryption doesn't probably have to be that high in order to make it high enough to be safe from a practical perspective.
  Its probably easier to just bug your house than to deal with the encryption. Mission accomplished.
  If it turns out that a moderately fast computer or small cluster can break and decrypt in real time from the output of tcpdump, that would be bad. If I can throw a bunch of EC2 hosts at someones conversation and decrypt it for a reasonable price ... now we have a serious problem.
  Actually, I think I just came up with a business plan ...
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
9. Re:implications? by nullchar · 2010-07-08 17:29 · Score: 1
  
  unless they mucked up the implementation, there's every reason to believe that Skype's encryption is secure.
  Perhaps secure from a random researcher, but not secure from a dissident's point of view. If the encryption is not end-to-end (with client-managed PKs), then it is useless, even if it's strong and secure.
  The problem is, no one knows if the link is only encrypted between the clients and the server, or only encrypted between the clients. We also don't know if each client maintains its own private asymmetric key or if the server is the only private key holder.
10. Re:implications? by johanw · 2010-07-08 18:35 · Score: 1
  
  The already mentioned Wikipedia article (https://secure.wikimedia.org/wikipedia/en/wiki/Skype) mentions the use of RSA but is not sure. Why are you so sure they don't use asymmetric crypto?
11. Re:implications? by swillden · 2010-07-09 01:26 · Score: 2, Insightful
  
  Yes, achieving end-to-end secrecy requires much more than just using a secure encryption algorithm correctly. I was only addressing the cipher.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
12. Re:implications? by Anonymous Coward · 2010-07-09 01:54 · Score: 0
  
  There is no evidence that this is how Skype derives symmetric keys.
13. Re:implications? by Anonymous Coward · 2010-07-09 02:29 · Score: 0
  
  ROT13 is like piglatin, Itay Ureshay Orksway Otay Eepkay Onnay Englishay Eakingspay Eoplepay Outay Ofay Ethay Onversationcay.
  If all you need is to keep text communication secure for 30 seconds while the paper is in transit between desks, it's fine.
  For anything professional, yes of course use something more secure.
14. Re:implications? by Anonymous Coward · 2010-07-14 00:19 · Score: 0
  
  Yeah actually we do know because Skype doesn't send ALL of it's communications through a central server. In fact Skype will occasionally talk directly client to client. Skype also doesn't use it's RC4 stuff for content crypto - it uses AES. RC4 is used for traffic management not content. Exposing this mechanism doesn't effect the security of the content - I've yet to see anyone attack that effectively.
Skype may have better security than you think by DigitAl56K · 2010-07-08 11:00 · Score: 2, Interesting

Cryptome hosts this 2007 document:
http://cryptome.org/isp-spy/skype-spy.pdf
* Skype can provide records showing account creation, financial transaction and use of PSTN interconnections
* Due to the way by which Skype works, Skype does NOT have any records of user “logins”, “log offs” or other general online/offline status
* The Skype system is designed in such a way that voicemail is not centrally stored
* Calls, IMs and other activities between Skype users do not create billing records
Everything there implies that if you want your communications to be private with respect to what can be provided in response to a subpeona then Skype isn't a bad platform. As to what can be intercepted obviously that is not covered because it's not relevant to that document.
The key scheduling is what's important by bk2204 · 2010-07-08 11:09 · Score: 5, Informative

The actual RC4 cipher has bad key scheduling issues. Because the initialization step doesn't mix the key bytes well enough into the S-box, the first bytes of the keystream (which is XOR'd with the plaintext to produce the ciphertext) leak lots of data about the key. This is a major problem with WEP (there are, of course, others). Cryptographers recommend discarding the beginning of the keystream because of this weakness. Nevertheless, RC4 is popular because it is byte-oriented and fast. Even 8-bit machines can implement it trivially.
Ultimately, it comes down to the key scheduling. If Skype has a better key-scheduling algorithm, it may actually improve security over standard RC4.
1. Re:The key scheduling is what's important by FormOfActionBanana · 2010-07-08 12:17 · Score: 1
  
  Interesting... but I wouldn't bet my whole paycheck that the Skype guys, rolling their own encryption, from a weak (RC4) starting point, just stumbled upon something better than the good modern crypto hashes available.
  
  --
  Take off every 'sig' !!
2. Re:The key scheduling is what's important by swillden · 2010-07-08 16:07 · Score: 4, Insightful
  
  Ultimately, it comes down to the key scheduling. If Skype has a better key-scheduling algorithm, it may actually improve security over standard RC4.
  I would hope they didn't create a custom key scheduling algorithm. Odds are good that what they created would be worse. It would be much better to use the standard key schedule and discard the first 2 KB of the keystream -- which is what cryptographers suggest when using RC4.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
No other cross platform alternative... by Anonymous Coward · 2010-07-08 11:15 · Score: 4, Insightful

...for *video* calls. I use Linux, my daughter uses Apple and my son uses Windows. Skype allows high quality video chat, telephone interconnect/transfer and IP voice calls on all three platforms.
They may be proprietary and bandwith hogs, but the Skype folks certainly offer a free product with great user appeal. Maybe that's why it's so popular?
1. Re:No other cross platform alternative... by aliquis · 2010-07-08 13:04 · Score: 1
  
  Yeah, the Pidgin people is pretty annoying as far as webcam support goes. Though understandable and it's their time and project so .. Jabber video may not be really there yet.
  aMSN should run on all platforms, though the old version is kinda scrapped waiting for the new one.
  I don't know if there's any way to use webcam over ICQ in Linux.
  Looks like Qnext does video, and it's JAVA, atleast if I remember correctly.
  But yeah, Skype is convenient, it works where noone else seem to have succeeded, and it's simple to use. Just suck arse that it's proprietary software and protocols (and servers? To the extent they are used.)
  One would had believed Google would had thrown out an alternative which was just as good really fast. Maybe with a client in Android to. And hopefully based on standards.
2. Re:No other cross platform alternative... by jrumney · 2010-07-08 13:14 · Score: 3, Informative
  
  SIP based videophone clients are available for all those platforms. They may not be the same client, but because SIP is an open standard they don't have to be to interoperate. Also H.323 clients should be available for all platforms, one even comes with Windows by default (netmeeting) though it doesn't get an icon in the start menu these days.
3. Re:No other cross platform alternative... by norpy · 2010-07-08 13:29 · Score: 1
  
  Netmeeting no longer exists. It has been replaced by "Windows Meeting Space"
4. Re:No other cross platform alternative... by GSV+Eat+Me+Reality · 2010-07-08 16:13 · Score: 1
  
  Primitive, yet newly introduced, communications protocols such as these tend to create a desire to control them in entities that did not originally create them. This has been demonstrated multiple times in humanoid history.
  What is most puzzling about the desire for control is the fact that given a sufficient period of time, the protocols will evolve, the society and culture will evolve, and the entities that desire to control them will be left with no control over them, with the possible exception of what can be preserved by redundant and ultimately short-lived influence on the social mechanisms that are prevalent at the time.
  This seems to be counter productive to the advancement of any society, as it allows the affluent members of the society to gain control over the creative process which advances societies and culture, and therefore stifle it.
  Speaking entirely as a corporeal and yet potentially non-involved entity, is this not contrary to the stated desires of the culture and society, to wit, to advance? Is it not contrary to the very desires of the affluent entities, that the system they live within evolves and therefore produces situations in which they can become more affluent?
  It is surely puzzling.
  GSV Eat Me Reality
5. Re:No other cross platform alternative... by houghi · 2010-07-08 20:49 · Score: 1
  
  For me that is a reason NOT to use it. You do not want to chat with me and see how I sit behind my computer.
  
  --
  Don't fight for your country, if your country does not fight for you.
6. Re:No other cross platform alternative... by FriendlyLurker · 2010-07-08 20:58 · Score: 4, Insightful
  
  I kinda get annoyed when people say "Use SIP" to the "I want to replace Skype with open source/non proprietary" question. Ok so SIP exists and clients are out there, I have even tried a few out with tech orientated friends. Now show me where all my __non tech friends__ can download AND install a sleek simple easy to use SIP client in around three clicks, and be chatting a minute later with no configuration? (the minimum bar that Skype has set). AFAIK such a SIP client does not yet exist - the SIP community has failed to cater even remotely to the only crowd that will actually make SIP relevant on the desktop (and so by extension, other areas).
  Key in Open Source S... and google will show you just how popular it is to search for Skype alternatives - the demand is there. Clicking through the search shows just how sorry the state of SIP actually is. Top listed "Top ten" lists from 2007, half baked solutions. Hardly comparable to Skype's prominent big download button, about three click install and your talking (over an encrypted link, no less).
  I so wish I was wrong about this and there did exist a SIP client where I could email to my non-techy friends and have them chatting in minutes. Maybe one day hopefully, when someone (anyone, please!) in the SIP community get their act together. I'd love nothing more than if someone replied to prove I am wrong here...
7. Re:No other cross platform alternative... by jez9999 · 2010-07-08 21:04 · Score: 1
  
  one even comes with Windows by default (netmeeting) though it doesn't get an icon in the start menu these days.
  And it doesn't start on Windows 7, it crashes.
  
  --
  == Jez ==
  Do you miss Firefox? Try Pale Moon.
8. Re:No other cross platform alternative... by jareth-0205 · 2010-07-08 23:21 · Score: 1
  
  Yes, *and* the fact that changing the whole world to use a different 'standard' than Skype is somewhat tricky. If you want to talk to other people you can't always make them use the software you demand.
9. Re:No other cross platform alternative... by FireFury03 · 2010-07-08 23:35 · Score: 1
  
  and be chatting a minute later with no configuration? (the minimum bar that Skype has set)
  The problem here is that anything non-proprietary will always require some configuration purely because it won't be locked to a specific service provider.... which is the whole point of having non-proprietary stuff. But frankly, setting up a SIP client is as trivial as setting up your email client, or your XMPP client - you fill in the server that your account is on, your user name and password and it works.
  What you're asking for is equivalent to "show me where I can buy an unlocked cellphone that isn't tied to any service provider but doesn't involve me finding a service provider to use" - you can't have one without the other (although admittedly it is a bit better in the cellphone market because at least all the telcos interoperate with eachother so you can at least phone people who are on a different telco).
  The closest you can get are service providers who ship preconfigured SIP clients (either software or hardware). There are actually a lot of these, such as Sipgate, etc. But they are smaller companies than Skype and thusly have less public mindshare.
  
  the SIP community has failed to cater even remotely to the only crowd that will actually make SIP relevant on the desktop
  Here I disagree - A *lot* of people use SIP, both on and off the desktop. It may not have the mind share that Skype has, but it is still in heavy use. Another thing is that Skype is a service whereas SIP is a protocol - SIP is used across many service providers and people may not even know that that's what they are using.
  
  I so wish I was wrong about this and there did exist a SIP client where I could email to my non-techy friends and have them chatting in minutes
  You can already do this - most of the SIP gateways already supply one. I already pointed to Sipgate as an example - sign up with them and they will let you download a softphone that is preconfigured with your account details, or purchase a hard phone that is preconfigured. Most of the service providers do something similar.
  
  --
  http://blog.nexusuk.org
10. Re:No other cross platform alternative... by ulski · 2010-07-09 00:33 · Score: 1
  
  Ekiga http://www.ekiga.org/ supports h.323 and SIP. There are both Windows and Linux versions
11. Re:No other cross platform alternative... by Anonymous Coward · 2010-07-09 00:42 · Score: 0
  
  I'm sure the previous poster was under the impression that people here dont have that many friends.
  Innocent mistake.
12. Re:No other cross platform alternative... by jgagnon · 2010-07-09 01:07 · Score: 1
  
  The desires of society are often in conflict with the desires of its more influential members.
  
  --
  Remember to maintain your supply of /facepalm oil to prevent chafing.
13. Re:No other cross platform alternative... by jgagnon · 2010-07-09 01:08 · Score: 1
  
  Rule 34 says there is someone out there that wants exactly that. :p
  
  --
  Remember to maintain your supply of /facepalm oil to prevent chafing.
14. Re:No other cross platform alternative... by wrook · 2010-07-09 01:24 · Score: 3, Interesting
  
  Writing a good, easy to use, high quality SIP client is quite easy these days. Half decent free SIP and RTP libraries exist. Decent free codecs exist. You basically just have to write UI (and not even a complicated UI at that).
  The problem is NAT. To make it work 100% of the time you must always have one leg (or an intermediary carrying the traffic) that isn't behind NAT. If you are behind NAT, Skype routes your call through someone who isn't. In other words, you will be using somebody else's bandwidth for your call. And that someone probably doesn't know you are doing it. Up until this point, there has been no free software author willing to do what Skype has done. Basically, because it is unethical in many people's minds. And free software authors tend to work based on ethics.
  With current routers and UPnP, a lot of the problems can be avoided, but you are still going to run into some situations which you can't really solve point to point. It has occurred to me to have a voluntary bandwidth usage. This should work reasonably well if the software were popular enough and you could limit the amount of bandwidth used.
  I have the skills to write such a thing, but alas I'm busy with other things at the moment. Maybe later...
15. Re:No other cross platform alternative... by Anonymous Coward · 2010-07-09 02:18 · Score: 0
  
  That's not exactly how the rule works.
16. Re:No other cross platform alternative... by TheRaven64 · 2010-07-09 04:32 · Score: 1
  
  Actually, this is not much of a problem anymore. All of the SIP providers I've encountered provide a STUN server that you can use for NAT traversal. You still need to provide the STUN server address when configuring the client, but that's pretty trivial. XMPP also uses STUN for NAT traversal with Jingle, but provides the address of the STUN server via the Jingle handshake (eJabberd has included a built-in STUN server since 2.1.0).
  
  --
  I am TheRaven on Soylent News
17. Re:No other cross platform alternative... by wrook · 2010-07-09 10:21 · Score: 1
  
  Unfortunately STUN doesn't work in every case. The problem is that for many firewalls, sending an ICMP packet binds the port. This is apparently against the spec (I haven't checked), but many, many routers do this. Even Linux did it at one point (and may still do for all I know).
  The issue comes because SIP has to choose the port it will use for audio before it sends audio. It sends the port number to the other side. But in most firewalls the port doesn't open (and isn't even really bound) until a packet has been sent to the other side. But if a packet is received before the packet is sent, the firewall will respond an ICMP message, binding the port until it times out (usually 90 seconds). When the SIP client gets around to sending it's packet, the port is already bound and gets reassigned. This results in one way audio.
  Even ICE won't solve this problem. The poor reputation SIP clients have for reliable connection are due to this. It will work most of the time, but not 100% of the time. In order to work 100% of the time you need an intermediary that is able to carry your traffic.
  Unfortunately this has less to do with poor SIP implementations and more to do with the guy inventing SIP not understanding how firewalls work in the real world.
18. Re:No other cross platform alternative... by micheas · 2010-07-09 17:12 · Score: 1
  
  Most people (numerically) pay someone else to set up their email client.
  $50 is the going rate in the USA to set up google for domains, and most third graders should be able to do that in an afternoon.
  These same people can use skype.
  The relatively user friendly skype IDs also help. As soon as someone sees a SIP ID they want to leave, unless you have a wrapper so they never see it.
  I think you under estimate the level of polish that skype has.
  Most SIP solutions are more or less raw in places that are visible to the end user.
  Nice for techies, not so for the masses.
  
  --
  Work bio at MMWD
19. Re:No other cross platform alternative... by pimproot · 2010-07-10 07:50 · Score: 1
  
  Using an intermediary is not the only way for two nodes behind separate NATs to talk to eachother: for UDP there's also a connection bootstrapping trick that gets them both hooked up. It works when the NAT doesn't rewrite the source port of a UDP packet, as is usually the case when a node uses an unoccupied source port (and as a random port is likely to be): each node simply starts sending a packet to the other node's source port. As the packet passes out through the NAT, it will remember that there is a "conversation" going on on that source/dest port pair and forward the incoming packets with the same port pair to the proper destination.
  This could work for TCP, also, if a node could generate a blind SYNACK with the correct sequence numbers and thereby cause the NAT to start forwarding - which is possible with the momentary assistance of an intermediary.
  Yes, this is a gross kludge and is inferior to proper NAT-traversal protocols like UPNP port forwarding, but it works in a large majority of real-world cases. Too bad it's not widely known or implemented.
20. Re:No other cross platform alternative... by wrook · 2010-07-10 10:40 · Score: 1
  
  Yes it does work in most cases. And in fact, every modern SIP client I know of works this way (there's even an RFC for it... I can't remember the name of it right now though). If you look a little higher in the conversation, you'll see the real problem, though -- Firewalls that bind the port when they return an ICMP packet. The problem is that even though you have requested a port, it isn't actually bound until you send a packet. If the firewall receive a packet before one is sent, the port isn't open yet, an ICMP packet gets sent back and the port is bound for however long the timeout is (usually 90 seconds). When you start to send packets, you get assigned a different port, which of course leads to one way audio.
  Of course there is no reason to bind the port on an ICMP message and I have been told that it is against the spec (I haven't looked, though). But many, many routers do this. Linux iptables also used to do this and may still do for all I know.
  If we wait long enough for everyone to fix their NAT implementation, SIP may just start working on its own ;-)
21. Re:No other cross platform alternative... by pimproot · 2010-07-10 11:06 · Score: 1
  
  Nice about the RFC, but the ICMP problem shouldn't exist if both nodes send their packets out at approximately the exact same time. By the time each packet reaches the other side, the port should be open.
  I hope utorrent's new utp protocol implements some of this magic, since I'm *STILL* seeing routers without UPnP.
Universal v. Reimerdes by tepples · 2010-07-08 11:37 · Score: 2, Informative

A C&D for a clean-room reversed engineering of a publicly-available algorithm? Methinks not.
Methinks so. Universal v. Reimerdes.
Video by phorm · 2010-07-08 12:19 · Score: 1

That used to be the case for me, but more recently on several different machines I've found that I either could not send or receive videos (despite having working cameras on both ends, and the cams working with other apps).
1. Re:Video by characterZer0 · 2010-07-08 13:50 · Score: 1
  
  I had that problem. Upgrading all clients to the most recent version fixed it.
  
  --
  Go green: turn off your refrigerator.
There is no RC4 key! by Anonymous Coward · 2010-07-08 12:46 · Score: 0

Everyone is so concerned with the strength of this algorithm... What does it matter if there is no secret key to break? The whole thing relies only on the secrecy of this algorithm! Just check the Wikipedia article and the Vanilla Skype docs.
I hope Skype doesn't bury these guys under 6 feet of dirt and a deadly law suit and they publish everything else - compression, key management, digital signatures, user authentication, P2P AES-256 encryption... We want more! We want more! We want more!
Does this mean... by LuYu · 2010-07-08 13:15 · Score: 1

Does this mean we can finally have Skype protocol built into Pidgin? I would love to stop using Skype's crapware.

--
All data is speech. All speech is Free.
1. Re:Does this mean... by Anonymous Coward · 2010-07-09 04:29 · Score: 0
  
  Not gonna happen. The protocol has not been cracked (made emulable). As long as Skype dominates the market, they just need to tweak their secret protocol and force an update on all users.
zhangyuyu by zhangyuyu · 2010-07-08 15:13 · Score: 0, Offtopic

cheap gucci sale http://www.gucciusaoutlet.net/index.php?main_page=index&cPath=75&zenid=aa7cf3c1c03ba16b9ac00c8cd2a23ef2
If publishing the scheme weakened it... by Arancaytar · 2010-07-08 18:25 · Score: 1

Then that would have to be one crappy encryption algorithm.
Chaocipher by dimethylxanthine · 2010-07-08 18:31 · Score: 0

They should have used the chaocipher. That should be way past its copyright period. Ta!
Skype Will Change As Telecoms Change by pandrijeczko · 2010-07-08 20:55 · Score: 1

The VoIP world is going the way of open standards with SIP - if Skype don't adapt to embrace SIP, they'll just edge themselves out of the marketplace.
The biggest VoIP business provider Avaya has been moving to SIP for years and, interestingly though maybe not relevant, are owned mostly by the Silver Lake investors, who also own most of Skype.

--
Gentoo Linux - another day, another USE flag.
1. Re:Skype Will Change As Telecoms Change by Ash-Fox · 2010-07-09 00:12 · Score: 1
  
  Skype does use SIP for termination with certain telecommunications providers.
  
  --
  Change is certain; progress is not obligatory.
2. Re:Skype Will Change As Telecoms Change by pandrijeczko · 2010-07-09 00:54 · Score: 1
  
  Yes, but that's the point... a true SIP endpoint should work with any provider.
  
  --
  Gentoo Linux - another day, another USE flag.
3. Re:Skype Will Change As Telecoms Change by Ash-Fox · 2010-07-09 01:13 · Score: 1
  
  Yes, but that's the point... a true SIP endpoint should work with any provider.
  But most major telecommunications providers don't have SIP points for just anyone. They're locked down just for terminating between each other, just like Skype's.
  
  --
  Change is certain; progress is not obligatory.
4. Re:Skype Will Change As Telecoms Change by pandrijeczko · 2010-07-09 01:21 · Score: 1
  
  Quite possibly, but it's a business decision to lock them down. SIP is an open protocol, Skype's protocol is (at least partly) proprietary.
  
  --
  Gentoo Linux - another day, another USE flag.
5. Re:Skype Will Change As Telecoms Change by Ash-Fox · 2010-07-09 02:55 · Score: 1
  
  SIP is an open protocol, Skype's protocol is (at least partly) proprietary.
  Yes, but the Skype protocol is not used for terminating a call between providers, SIP is used for such termination - I don't get the argument.
  The Skype protocol it self is used on the user end and has many benefits such as being capable of working around networking issues with a combination of methods such as creating 'false' open/active sessions (hole punching) in TCP and UDP to open a socket for users who for example, can't open incoming ports themselves on their Internet exposed address, capable of using peer to peer communications for communicating with the master server if there is connectivity issues etc. Which are things that a SIP client cannot do if it were following the SIP specifications.
  
  --
  Change is certain; progress is not obligatory.
6. Re:Skype Will Change As Telecoms Change by pandrijeczko · 2010-07-09 03:08 · Score: 1
  
  Maybe I'm not quite getting what you're saying but that's not what I understand SIP to be.
  As far as the VoIP endpoints are concerned, all they care about is that they can comunicate the same protocol for their inter-communications - i.e. the same codecs for voice or video calls, same protocol for IM, etc. Whether those protocols do or don't work through NAT without specific ports open is irrelevant to SIP.
  The purpose of SIP is to provide the "data signalling" portion of the connection - i.e. to communicate the availability of other endpoints and then to initiate, change the state of and finally tear down the communication by telling the endpoints what to do.
  You cannot use the Skype client as a SIP softphone without going via Skype themselves - I cannot argue with your comments on what Skype actually does but that's not the point; it is still partly based on closed protocols (and I suspect closed codecs, though I could be wrong), whereas SIP is entirely open.
  
  --
  Gentoo Linux - another day, another USE flag.
7. Re:Skype Will Change As Telecoms Change by Ash-Fox · 2010-07-09 03:22 · Score: 1
  
  You cannot use the Skype client as a SIP softphone without going via Skype themselves
  No, but you could use Skype's Skype for SIP to do it, one of the SIP Skype gateway software combos out there or even a SIP service provider that I am too lazy to Google right now.
  Being that Skype is providing this functionality directly, I honestly don't see the issue.
  
  --
  Change is certain; progress is not obligatory.
8. Re:Skype Will Change As Telecoms Change by Anonymous Coward · 2010-07-14 08:06 · Score: 0
  
  Open or Closed doesn't matter so much to a user when they need to get something done. Right tool for the job that doesn't require a PHD to setup is what they will want. Also - not all traffic for Skype has to go through any sort of central server, it's possible to talk point to point just fine or through relays which are unwitting users elsewhere...
So? by dohzer · 2010-07-08 21:09 · Score: 1

Why would anyone use Skype for security critical conversations?
1. Re:So? by GameboyRMH · 2010-07-09 03:05 · Score: 1
  
  Exactly. It's connecting to a server you don't control FFS. Almost the whole thing is a big black box. Like landlines and cell networks, I consider it unsecure.
  If you want secure VoIP, run SIP or IAX through a VPN containing only trusted devices.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
2. Re:So? by BLKMGK · 2010-07-14 08:28 · Score: 1
  
  Because it's easy to setup, uses strong AES crypto, goes through firewalls, and is free....
  
  --
  Build it, Drive it, Improve it! Hybridz.org
Re:Facetime by terminal.dk · 2010-07-08 21:53 · Score: 0, Troll

Facetime is an open standard from Apple.
People really loves the iPhone 4 implementation.
So what you're saying about this is by Anonymous Coward · 2010-07-08 22:12 · Score: 0

So what you're saying about this is that the ONLY reason why you like Skype is because they've made a slick installer for all three platforms.
Please tell me how this makes a propriatory solution the ONLY solution?
Skype could open up their protocol so other people could use Skype freely.
Anyone can write a nice installer setting up SIP accepted standard. The problem being that nobody has. All someone has to show you is how to set up one SIP client and that client should be able to talk to any other SIP client, then there's no problem.
the problem is that people like you assume that SIP != Skype and that Skype is the ONLY SOLUTION. It isn't. If Skype were using a SIP configuration others could use, there would be no issue. If people like you didn't DEMAND Skype compatability, others would be able to fill its place.
1. Re:So what you're saying about this is by Anonymous Coward · 2010-07-08 22:52 · Score: 1, Funny
  
  There was an important job to be done and Everybody was sure that Somebody would do it.
  Anybody could have done it, but Nobody did it.
  Somebody got angry about that because it was Everybody's job.
  Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn't do it.
  It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done.
Not so decent by Anonymous Coward · 2010-07-09 03:55 · Score: 0

Examine the rumors: H, and The Register.
Examine the facts: Digitask was contracted to provide the technology.
Re:Facetime by TheRaven64 · 2010-07-09 04:37 · Score: 2, Insightful

Facetime is a proprietary standard that Apple has claimed it will open at some point in the future.

--
I am TheRaven on Soylent News
P2P is unethical? by Mr2001 · 2010-07-09 06:10 · Score: 1

If you are behind NAT, Skype routes your call through someone who isn't. In other words, you will be using somebody else's bandwidth for your call. And that someone probably doesn't know you are doing it. Up until this point, there has been no free software author willing to do what Skype has done. Basically, because it is unethical in many people's minds. And free software authors tend to work based on ethics.
Er, which part of that is unethical? Using other people's bandwidth is how peer-to-peer systems work, and there's no shortage of free software P2P: BitTorrent, Freenet, etc.

--
Visual IRC: Fast. Powerful. Free.
1. Re:P2P is unethical? by wrook · 2010-07-09 09:59 · Score: 1
  
  The issue is that they don't know they are providing bandwidth for somebody else's call. It's in the fine print, but your average Joe doesn't read/understand it. It remains to be seen how many people would voluntarily give up their bandwidth for a stranger's telephone call. My current idea is to build up a kind of dark net where you can choose who to provide bandwidth too (friends, friends of friends, anybody).
2. Re:P2P is unethical? by Mr2001 · 2010-07-09 14:28 · Score: 1
  
  The issue is that they don't know they are providing bandwidth for somebody else's call. It's in the fine print, but your average Joe doesn't read/understand it.
  I wonder how many of them understand they're providing bandwidth for someone else's download when they use BitTorrent.
  
  --
  Visual IRC: Fast. Powerful. Free.
Even Neater by DrYak · 2010-07-14 07:13 · Score: 1

What is even neater than a 3rd party Skype software would be some one assembling :
- a 3rd party Skype implementation
- using already available RTP, SIP, ZRTP to make a SIP implementation, throwing STUN *and* TURN into the mix (like libNICE) together with a list of known servers for 100% automatic NAT traversal
- maybe throw another couple of open implementations (like Google LibJingle for XMPP).
- and find a way to put a nice "find friend" function in there (so people won't have trouble finding who among their friend use open protocols too). (Bonus if it leverage some viral social network API. Like piggy backing on Facebook).
- then package everything in a easy-to-use, non bloated (does only voice and messages), non crashy application.
This could be the first step toward helping the users move to open standard :
- as a non bloated, non crashy application, that would be compelling curring Skype users to start using this instead of official client, while keeping every contact in their list.
- as long as several friend moves to this new software, they could also start using other alternatives (just like OTR made possible to use encryption between OTR compatible clients without needed to lose friends).
- in a few years, once a pricacy crisis breaks out once people realise the backdoors in skype, people will simply use the other services or the encryption layer provided by their preferred software.
Best part of it ? Skype won't even mind - they make their only profit by selling SkypeIn / -Out service.
As long as people buy minutes, it doesn't really matter what software the users are using to connect.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]