Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Encryption (Partly) Revealed

Posted by timothy on from the skyping-ahead dept.

TSHTF writes "Just weeks after Skype unveiled a public API for the service, a group of cryptographers led by Sean O'Neill have successfully reverse engineered the encryption used by the Skype protocol. Source code is available under a non-commercial license which details Skype's implementation of the RC4 cipher." The linked article cautions, however, that "initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure."

10 of 151 comments (clear)

  1. Skype still sucks by Anonymous Coward · · Score: 5, Interesting

    It is proprietary, centralized, bloatwared, closed, and bandwidth intensive. Simply fixing one of this is not an improvement on the situation.

    Unless you happen to be one of the unfortunate souls whose boss requires all communication to be on skype, then maybe a non-crashy linux client will be your savior.

    1. Re:Skype still sucks by Jorl17 · · Score: 3, Interesting

      Usually I used skype to voice-chat. Then I realized that mumble was good outside gaming. Now I use mumble to do everything and have my own little chat app to communicate via text. Skype is dead for me. Mumble is bandwidth-saving in some cases and the quality is so vastly superior. The disadvantange is that of a centralized server, but I manage that just fine by using an available server OR running my local one. Sure, for conferences it might be worse in terms of bandwidth (all data going to the server = me), but for 2-3 people it is great. This isn't good for video, though, but I don't need that anyway, and I've heard of good apps to do so.

      --
      Have you heard about SoylentNews?
    2. Re:Skype still sucks by commodore64_love · · Score: 3, Interesting

      >>>Name a decent alternative?

      I use a calling card which is only 5 cents per minute and will work regardless where I'm at (home, hotel, payphone along the highway). I've looked at Skype and think it's a cool idea, but don't see that it would save me money, or be as convenient.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  2. US Government likely already broke it by Anonymous Coward · · Score: 1, Interesting

    This just goes to show the US Govt. already likely has these streams pwnd.

  3. Well by Irick · · Score: 2, Interesting

    Hopefully this means we will see some more 3rd party clients, and maybe some Jabber integration.

  4. Wasn't this done years ago? by Wesley+Felter · · Score: 5, Interesting

    On the Wikipedia page http://en.wikipedia.org/wiki/Skype_protocol I see presentations from 2004 and 2006 about reversing Skype, including its encryption. What's new here compared to the previous work?

  5. Skype may have better security than you think by DigitAl56K · · Score: 2, Interesting

    Cryptome hosts this 2007 document:

    http://cryptome.org/isp-spy/skype-spy.pdf

    * Skype can provide records showing account creation, financial transaction and use of PSTN interconnections
    * Due to the way by which Skype works, Skype does NOT have any records of user “logins”, “log offs” or other general online/offline status
    * The Skype system is designed in such a way that voicemail is not centrally stored
    * Calls, IMs and other activities between Skype users do not create billing records

    Everything there implies that if you want your communications to be private with respect to what can be provided in response to a subpeona then Skype isn't a bad platform. As to what can be intercepted obviously that is not covered because it's not relevant to that document.

  6. Re:So, if I'm reading this right... by Anonymous Coward · · Score: 1, Interesting

    SIP isn't that great though because there is no encryption. Sure, there is "encryption" like SRTP for SIP but nobody uses it and practically none of the SIP providers support it (quite possibly none support it; I haven't found one at least).

    Plus there is the whole momentum thing, lots of people use Skype because it's dead easy to install and it generally "just works." However, the Skype client sucks donkey balls. It's buggy and difficult to use in a non-GUI environment.

    With that said, I still use VOIP/SIP for my main phone because Skype-IN seriously sucks (when I had it I would guess 50% of calls went to voicemail instead of ringing my phone even though everything was working normally).

  7. Re:implications? by Caledfwlch · · Score: 2, Interesting

    There is a positive implication.... it may count partly towards the transparency that the Indian security agencies want ;-)

    --
    These views express my own personal opinions, not those of the other voices in my head
  8. Re:No other cross platform alternative... by wrook · · Score: 3, Interesting

    Writing a good, easy to use, high quality SIP client is quite easy these days. Half decent free SIP and RTP libraries exist. Decent free codecs exist. You basically just have to write UI (and not even a complicated UI at that).

    The problem is NAT. To make it work 100% of the time you must always have one leg (or an intermediary carrying the traffic) that isn't behind NAT. If you are behind NAT, Skype routes your call through someone who isn't. In other words, you will be using somebody else's bandwidth for your call. And that someone probably doesn't know you are doing it. Up until this point, there has been no free software author willing to do what Skype has done. Basically, because it is unethical in many people's minds. And free software authors tend to work based on ethics.

    With current routers and UPnP, a lot of the problems can be avoided, but you are still going to run into some situations which you can't really solve point to point. It has occurred to me to have a voluntary bandwidth usage. This should work reasonably well if the software were popular enough and you could limit the amount of bandwidth used.

    I have the skills to write such a thing, but alas I'm busy with other things at the moment. Maybe later...