Skype Encryption (Partly) Revealed

TSHTF writes "Just weeks after Skype unveiled a public API for the service, a group of cryptographers led by Sean O'Neill have successfully reverse engineered the encryption used by the Skype protocol. Source code is available under a non-commercial license which details Skype's implementation of the RC4 cipher." The linked article cautions, however, that "initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure."

So, if I'm reading this right...

[Reilaos]

We're on the way to getting 3rd party Skype applications. Neat.

Re:So, if I'm reading this right...

[aliquis]

You know what would be neater? Something not based on a proprietary system, and there are plenty. (Though it could be argued whatever things like SIP is as good.)

C&D

[pak9rabid]

Queue the cease and desist in 3...2...1...

implications?

[Eil]

None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known. This is why you can have software like GPG and the zillion open source AES implementations and still use them to reliably protect data from interception.

What would weaken Skype's security was if someone found a shortcut (by way of a bug or design flaw) to decrypting the data without knowledge of the keys being used. According to TFA, this is what the O'Neill is working on now.

That said, the source material that O'Neill provided mentions only symmetric ciphers, which means that the keys might be buried in the Skype binaries somewhere. If that's the case, then finding those would break Skype's encryption wide open. But I rather doubt that will happen. We're only seeing part of the story here and I'd bet dollars to donuts that they're using one or more asymmetric ciphers somewhere to transmit keys for the symmetric ciphers.

Re:implications?

[Wesley+Felter]

It's not about security; revealing the protocol hurts Skype's lock-in. For example, the Skype-Asterisk gateway is $66 per channel; imagine if someone created an open source version.

Re:implications?

[swillden]

Yes, achieving end-to-end secrecy requires much more than just using a secure encryption algorithm correctly. I was only addressing the cipher.

Re:Reverse Engineered

[omnichad]

Oh, this could be used for interoperability - something explicitly allowed under DMCA. It's just like reverse engineering Word's .doc format.

Re:Skype still sucks

It is proprietary, centralized, bloatwared, closed, and bandwidth intensive. Simply fixing one of this is not an improvement on the situation.

I like FOSS as much as the next guy but making things open source does not magically eliminates any of these problems. I've seen plenty of FOSS code that suffers from being centralized, bloatwared and bandwidth intensive plus being insecure, badly designed, counterintuitive to use, .... , the list goes on. Bad coders are bad coders no matter where they work.

...then maybe a non-crashy linux client will be your savior.

Halleluja!!!

No other cross platform alternative...

...for *video* calls. I use Linux, my daughter uses Apple and my son uses Windows. Skype allows high quality video chat, telephone interconnect/transfer and IP voice calls on all three platforms.

They may be proprietary and bandwith hogs, but the Skype folks certainly offer a free product with great user appeal. Maybe that's why it's so popular?

Re:No other cross platform alternative...

[FriendlyLurker]

I kinda get annoyed when people say "Use SIP" to the "I want to replace Skype with open source/non proprietary" question. Ok so SIP exists and clients are out there, I have even tried a few out with tech orientated friends. Now show me where all my __non tech friends__ can download AND install a sleek simple easy to use SIP client in around three clicks, and be chatting a minute later with no configuration? (the minimum bar that Skype has set). AFAIK such a SIP client does not yet exist - the SIP community has failed to cater even remotely to the only crowd that will actually make SIP relevant on the desktop (and so by extension, other areas).

Key in Open Source S... and google will show you just how popular it is to search for Skype alternatives - the demand is there. Clicking through the search shows just how sorry the state of SIP actually is. Top listed "Top ten" lists from 2007, half baked solutions. Hardly comparable to Skype's prominent big download button, about three click install and your talking (over an encrypted link, no less).

I so wish I was wrong about this and there did exist a SIP client where I could email to my non-techy friends and have them chatting in minutes. Maybe one day hopefully, when someone (anyone, please!) in the SIP community get their act together. I'd love nothing more than if someone replied to prove I am wrong here...

Re:The key scheduling is what's important

[swillden]

Ultimately, it comes down to the key scheduling. If Skype has a better key-scheduling algorithm, it may actually improve security over standard RC4.

I would hope they didn't create a custom key scheduling algorithm. Odds are good that what they created would be worse. It would be much better to use the standard key schedule and discard the first 2 KB of the keystream -- which is what cryptographers suggest when using RC4.

Re:Facetime

[TheRaven64]

Facetime is a proprietary standard that Apple has claimed it will open at some point in the future.