Skype Encryption (Partly) Revealed - Slashdot

Slashdot

Skype Encryption (Partly) Revealed 151

Posted by timothy on Thursday July 08 2010, @05:48PM
from the skyping-ahead dept.

TSHTF writes "Just weeks after Skype unveiled a public API for the service, a group of cryptographers led by Sean O'Neill have successfully reverse engineered the encryption used by the Skype protocol. Source code is available under a non-commercial license which details Skype's implementation of the RC4 cipher." The linked article cautions, however, that "initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure."

This discussion has been archived. No new comments can be posted.

Skype Encryption (Partly) Revealed

Search 151 Comments Log In/Create an Account

Comments Filter:

Re:Skype still sucks (Score:2, Informative)

by fuzznutz (789413) writes: on Thursday July 08 2010, @06:23PM (#32845346)

Pay-phone? Where do you find pay-phones these days? My daughter's brand new high school has no pay-phone anywhere on the premises. In fact, I can't remember the last pay-phone I saw. I work at a University, and there are no pay-phones in any building on campus.

Parent Share
twitter facebook
Re:Skype still sucks (Score:5, Informative)

by caseih (160668) writes: on Thursday July 08 2010, @06:49PM (#32845572)

For me Gizmo5 and sipgate.com provide all the VoIP services I used to use skype for. In fact when I combine Google Voice with either Gizmo5 or sipgate.com, and a Linksys 3102 SPA box, I can not only replace skype, but replace my land line as well. I also do most voice communication at home, so I ditched my cell plan and got a T-mobile prepaid plan. Now if I receive a call via GV on my cell phone, the moment I walk in the door I can transfer it to VoIP.
If I had an asterisk box set up, I could probably do GV-connected outbound calling automagically from my land phone. At the moment I place most calls via the web interface.
I know Skype can do IM and video chat, but frankly I never needed that. so yes, SIP is a good alternative. And ekiga can do both SIP and video chatting using open protocols. Works quite great, despite SIP's retardedness.

Parent Share
twitter facebook
Re:implications? (Score:5, Informative)

by 0123456 (636235) writes: on Thursday July 08 2010, @06:56PM (#32845656)

None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known
ROT13 isn't secure when it's known.
Like ROT13, RC4 is an antiquated cipher with many known issues; and a modified version of RC4 could be even less secure than the vanilla implementation. No-one should be using it these days when there are much better alternatives available.

Parent Share
twitter facebook
The key scheduling is what's important (Score:5, Informative)

by bk2204 (310841) writes: <sandals@crustytoothpaste.net> on Thursday July 08 2010, @07:09PM (#32845766) Homepage

The actual RC4 cipher has bad key scheduling issues. Because the initialization step doesn't mix the key bytes well enough into the S-box, the first bytes of the keystream (which is XOR'd with the plaintext to produce the ciphertext) leak lots of data about the key. This is a major problem with WEP (there are, of course, others). Cryptographers recommend discarding the beginning of the keystream because of this weakness. Nevertheless, RC4 is popular because it is byte-oriented and fast. Even 8-bit machines can implement it trivially.
Ultimately, it comes down to the key scheduling. If Skype has a better key-scheduling algorithm, it may actually improve security over standard RC4.

Share
twitter facebook
Re:implications? (Score:3, Informative)

by Sloppy (14984) writes: on Thursday July 08 2010, @07:17PM (#32845834) Homepage Journal

None of this harms Skype's existing security in any way
That depends on what you mean by "security." If "security" means having a monopoly on sales of an implementation of a popular protocol... ;-)
We're only seeing part of the story here and I'd bet dollars to donuts that they're using one or more asymmetric ciphers somewhere to transmit keys for the symmetric ciphers.
The big question about Skype has always been: how are the using the asymmetic stuff? How does each client know whose public key it's using?

Parent Share
twitter facebook
Re:Skype still sucks (Score:3, Informative)

by westlake (615356) writes: on Thursday July 08 2010, @07:18PM (#32845840)

It is proprietary, centralized, bloatwared, closed, and bandwidth intensive.
maybe a non-crashy linux client will be your savior.
There are about 500 million Skype accounts.
40 million or so people using the service on any given day. Skype [wikipedia.org]
You don't "dial out" to stress-test the technology - you dial out in the hope that someone will be there to answer your call.

Parent Share
twitter facebook
Universal v. Reimerdes (Score:3, Informative)

by tepples (727027) writes: <slash2006@noSPAm.pineight.com> on Thursday July 08 2010, @07:37PM (#32845956) Homepage Journal

A C&D for a clean-room reversed engineering of a publicly-available algorithm? Methinks not.
Methinks so. Universal v. Reimerdes.

Parent Share
twitter facebook
Re:No other cross platform alternative... (Score:4, Informative)

by jrumney (197329) writes: on Thursday July 08 2010, @09:14PM (#32846712) Homepage

SIP based videophone clients are available for all those platforms. They may not be the same client, but because SIP is an open standard they don't have to be to interoperate. Also H.323 clients should be available for all platforms, one even comes with Windows by default (netmeeting) though it doesn't get an icon in the start menu these days.

Parent Share
twitter facebook
Re:implications? (Score:3, Informative)

by swillden (191260) writes: <shawn-ds@willden.org> on Friday July 09 2010, @12:04AM (#32847492) Homepage Journal

None of this harms Skype's existing security in any way. Encryption, if properly implemented, is secure even when all of the mechanisms are known
ROT13 isn't secure when it's known.
ROT13 isn't encryption. It's a trivial unkeyed encoding.
Like ROT13, RC4 is an antiquated cipher with many known issues; and a modified version of RC4 could be even less secure than the vanilla implementation. No-one should be using it these days when there are much better alternatives available.
RC4 is also a widely-known and deeply-studied cipher. It has some known weaknesses, but workarounds for those weaknesses are also known. It's also very efficient and a stream cipher is the right kind of cipher for this application. I agree that there are better alternatives, but unless they mucked up the implementation, there's every reason to believe that Skype's encryption is secure.

Parent Share
twitter facebook
Re:So, if I'm reading this right... (Score:4, Informative)

by LordVader717 (888547) writes: on Friday July 09 2010, @03:05AM (#32848110)

http://ekiga.org/ [ekiga.org]

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

995 commentsZimmerman Charged With 2nd-Degree Murder
910 commentsIn Nothing We Trust
811 commentsTSA's mm-Wave Body Scanner Breaks Diabetic Teen's $10K Insulin Pump
743 comments$60 Light Bulb Debuts On Earth Day
734 commentsWindows 8 Won't Play DVDs Unless You Pay For the Media Center Pack

Fun Facts, #14: In table tennis, whoever gets 21 points first wins. That's how it once was in baseball -- whoever got 21 runs first won.