SKYPE Security
R93921103 李延信 R93944008 謝雅超 R93922076 傅怡聖 R93922077 王建智
Outline
Introduction
Security issues
– Privacy
– Authenticity – Survivability – Resilience
– Integrity (for conversation & system)
Conclusion
Introduction
Skype is a VoIP System besed on peer-to- peer technology
Skype’s entrepreneurs is the same as KaZaA, the file trading system
Unlike KaZaA, Skype is currently free of adware and spyware
Skype vs ISDN
ISDN: a digital telephony system Difference
– Network – Security – Fee
– Additional functions
Skype Security Issue
Privacy
Authenticity Survivability Resilience
Integrity (for conversation & system)
Privacy
Skype used 256-bit AES as encryption algorithm
Skype used RSA encryption algorithm for key generation
Skype does not publish its key generation algorithm, and other detail about its
security implementations.
Advanced Encryption Standard algorithm
By NIST( National Institute of Standards and Technology )
AES-128 AES-192 AES-256
Advanced Encryption Standard
algorithm
RSA
By NIST( National Institute of Standards and Technology )
A secret key can be generated by two selected large prime numbers
The product of the two large prime
numbers will be used as the public key
Knowing the public key does not allow one to easily derive the associated private key
Privacy (cont.)
Even if Skype does use encryption, there still exists several problem:
– Access to encryption keys
– Skype Client will save the conversation defaultly
– Supernode may monitor the voice traffic moving through it.
– Telephone calls are decrypted to PSTN network through SKYPE gateway
– The traffic path is not safe
Skype client
Internet
Skype out
encrypted PSTN
decrypted
Skype client
Skype Client Interceptor
VPN Skype Client
Skype Client
Privacy (cont.)
It’s apparently that Skype gathers statistics from every call made by every Skype
application client.
– We now have to worry not only the outer hacker, but also the Skype itself
Privacy (cont.)
An attack of Speech intercept
– Intercept speech itself but the encrypted speech data traffic
– Sub7, or Netbus
• Directly control the microphone of the end user
– Skype didn’t provide any protection of trojan detection.
– With the popularity of VoIP applications, there will emerge more advanced trojans targeted at VoIP end-users
Privacy (cont.)
Skype provide better security than most VoIP system and PSTN.
– Just because most VoIP system and PSTN do not provide any encryption function.
– Skype only provide poor privacy
Authenticity
Skype use Email-based Identification and Authentication
Skype provides similar levels of authentication as MSN or AOL
No special method to protect authenticity
Authenticity (cont.)
The attack type:
– Fake user – Fake callee
– Fake valid authentication
How to be a bad seed
Prepare some well-equipped computers (better cpu, large ram ,and large bandwidth) and wait
Bad seed Normal
supernode
Real
Authentication Server
Fake Authentication Server
Survivability
The ability of a system to continue to operate after it has been degraded
– The traditional telephony system has poor survivability.
– Due to the characteristic of Network, Skype has Survivability naturally
– On the other hand, if the key node fail in
Skype, the voice traffic will also be effected severely
• Ex: Skype’s authentication servers
Resilience
Internet connections in many cases can be restored more quickly than traditional
telephone.
– Better robustness ?
– The traditional PSTN network rarely failed.
Integrity
Skype’s voice quality only suffers
considerably in 802.11 wireless network Skype’s load is not heavy, even when Skype client is chose to be supernodes
Conclusion
Any organization using Skype should face the difficulty of managing the member of its network.
– Hard to confine the Skype application only in the LAN
– The choose of supernodes is decided by Skype back-end servers or external
supernodes, not the organization itself
– Also hard to block the inner user to use Skype
• Skype can work even there is only port 80
Conclusion (cont.)
The security mechanism isn’t well designed.
– Lack of link-encryption and key-exchange – The authentication security is poor
– Trojan or spyware may easily control the microphone, and it is hard to prevent because of the high traversal ability provided by skype
– Also because of the traversal ability, the common
anti-virus mechanism, such as firewall or in-time virus scan is useless.
Conclusion (cont.)
The skype itself may not be safe
– It’s not open-source program
– It’s possible that Skype is hiding something in the code that may be used for trojan or
spyware
• Remember the spwares in Kazaa. Some of the people behind Kazaa are also behind Skype