Top Ten Concerns to Skype Security
As a security professional, I adopt Skype as my primary IM due to its encryption and firewall bypass. Although firewall bypass is the direct experience, encryption is just claimed by Skype. Nothing more about the encryption mechanism, such as the key generation, management and etc. The following is the Top Ten Questions I want to know about Skype security issues:
- does Skype company de-encrypt/record my talk/chat?
- besides the parties of the talk/chat, any body else can read/hear the content?
- how does Skype process the talk/chat traffic along the internet route?
- is the talk/chat content stored at somewhere else at the internet?
- how does Skype negotiate the session-key used to encrypt the traffic?
- what algorithm does Skype used to encrypt the talk/chat traffic? (more detailed info than just AES)
- how does Skype store the public/private key pairs of skype client?
- is there any means to identify the traffic at network layer? (though Verso has succeeded in it, I mean what means Skype support)
- is there any existing mechanism to account/audit the activities of the skype client, or recommendation from Skype?
- is there any country agents involved at the key management?
What’s yours most of concern questions? want to know from Skype?
Juergen Nieveler wrote:
> Lassi Hippeläinen wrote:
>
>> Skype uses asymmetric PKI to authenticate the clients. Each new client
>> first generates a certificate with a dedicated server. Skype has a
>> bunch of those servers, distributed geographically.
>
> If so, the keys never leave the servers (which of course is a bad
> thing) – after all, you can login from any PC anywhere in the world.
>
> That means that Skype still is able to eavesdrop on you…
>
> Juergen Nieveler
The servers only participate in authentication. The call session is
peer-to-peer and need not pass through anything that Skype can control.
– Lassi
Some reponses to the TOP TEN Concerns:
I don’t think the AES key is stored anywhere. It is created for each
session, and possibly recreated during the session after some time
interval.
Skype uses asymmetric PKI to authenticate the clients. Each new client first
generates a certificate with a dedicated server. Skype has a bunch of those
servers, distributed geographically.
One of my colleagues suggested that when eBay bought Skype, they weren’t
interested in the VoIP business, they wanted the PKI infra with its 50+
million customers.
– Lassi
Some reponses to the TOP TEN Conerns:
Are these two questions related to each other? If yes, the AES cipher is
an symmetrical one where you only need a private key. If skype uses an
asymmetrical cipher as well it would be nice if anyone outside there
could explain the function of this cipher (in skype). Maybe to negotiate
the symetrical key as SSL do it?
Walter
non-formal answers from Tom Berson via Skype:
1. No
2. No, unless you or other party to chat has some Trojan on you computer
3. There is no processing in the middle
4. Possibly, but not by Skype
5, 6, 7 see paper
8. I am not an expert about the network layer
9. Skype-to-Skype calls, no.
10. I do not think so.
Thanks to Tom’s explanation.
Richard
I think the whitepaper published by Skype only addresses the 5th, 6th and 7th concerns, while leaving others not covered.