Cryptoanalysts have published what they claim is the secret recipe behind a Skype encryption algorithm. A group of code breakers led by Sean O’Neil reckon they have successfully reverse engineered Skype’s implementation of the RC4 cipher, one of several encryption technologies used by the consumer-oriented VoIP service. The …
Open to Eavesdroppers?
Skypes never been worried about that - just worried about competition connecting to the revenue stream they built on software taken from FLOSS.
Utterly legal, no?
As far as I'm aware, reverse engineering is absolutely above board, unless they've used proprietary information to build a copy from the ground up?
Either way, if it pushes Skype into publishing and opening itself up for security scrutiny, I'm all for it.
Re: Utterly legal, no?
It used to be, at least until you throw the DMCA into the mix.
There was nothing wrong with reverse engineering something as mundane as one's own DVD collection (with regards to fair use), however that didn't stop US courts from blocking DeCSS via DMCA.
It's not clear (to me) whether skype could frame their protocol as being protected by the DMCA. Keep in mind the wording of the DMCA was broad enough to allow ink jet cartridge manufacturers to apply it against the manufacture third party compatible cartridges (although I believe this was eventually thrown out since it was blatantly ridiculous to apply copyright laws in this way). Under traditional laws, in the US anyways, skype has no defense against reverse engineering. However, software patents could protect them against clones.
This isn't the first time someone's cracked the code to analyze the security using a disassembler, however I don't think anyone revealed the encryption keys prior to this.
"who we understand was formerly known as Yaroslav Charnovsky"
Is this significant in some way I don't understand?
Spies like us
It's all the rage to have both English and Russian names these days, especially if you like changing planes in Vienna.
Rather than being a good Irish / American Irish boy he's a FILTHY RUSSIAN-SOUNDING FOREIGNER! Skype is just unAmerican.
Good thing it's coming from a red-blooded American rather than, say, an Estonian headquartered in Luxemberg and who's previous venture was KaZaa- which we all know stole literally hundreds of trillions of dollars from the American movie industry (assuming that each bit of each copy of movie stolen = $10 of lost revenue).
Why should I trust anyone's motives if they've changed their name from a disgusting foreign-sounding thing, likely from the land of phish (ak47a Chechnya), to a delightful, lilting name, falsely suggesting the owner hails from the land of the bogs and the little people (begorrah!)?
Hands off our virgin Skype, former members of the foul communist world order conspiracy! How dare you sully this piece of digital democracy with your miserable red fingers, bruised from gripping the hammer and sickle so tightly for so long?
playing the man, not the ball
Lest we forget that those eastern Europeans are scary pinko commie mobsters who wouldn't hesitate to shiv you in the back, Skype lets us know that "the work being done by Sean O'Neil, who we understand was formerly known as Yaroslav Charnovsky, is directly facilitating spamming."
Reverse engineering is a protected practice in the US, and is an important part of our ability to innovate in the face of trade secrets (see Phoenix Systems and the rise of the PC clone). O'Neil didn't make their encryption vulnerable, that's Skype's own problem-- they had plenty of time to engage in cryptanalysis and hardening or even switch to implementations that have been proven before anyone was able to figure out what they were doing. Instead, they chose to act smug about their impenetrable secret.
By the way, does anyone know if O'Neil will be collecting that NSA prize for breaking Skype's cryptography? Seem to recall something like that being mentioned on here a year or two back.
The proprietary encryption technology is used by the VoIP service to protect communications exchanged between its its clients and severs
Who thought Skype was secure?
I thought Skype was a bit of a joke in security circles? Several national security services have openly laughed at it, and that's before you factor in the BIOS sniffing and other dubious circumstantial incidents caused by the creators themselves, all of which combines to form a body of 'suspicion' that Skype is as secure as FTPing the crown jewels over port 21 with plain text authentication.
"a restriction Skype had plans to ease with the upcoming publication of an API."
The API is a pile of horse-w*nk . They've been promising for years to update it. It sucks.
The encryption was always bypassable by those really likely to eavesdrop on our conversations - the Govt. If you want privacy, do it yourself.
I just wanted to point out that although RC4 is "proprietary" it's also very widely known. In fact it's a very simple algorithm (which isn't to say weak). Simple enough for noob to code in Visual Basic with no difficulty, which is fun.
How open source is VoIP
Skype is the one everyone recognises, but are there less well known (better?) but compatible options ?
Just asking as I imagine some Reg readers have been benchmarking this stuff.
Re: How open source is VoIP
Microsoft's netmeeting uses the H.323 standard, which is also supported by many linux VOIP capable clients such as Wengo Phone and Ekiga.
Most voip providers use predominantly the SIP/RTP protocols to connect customers to the telephone service. These are very well supported by hundreds of open source projects, including the Asterisk/Callweaver software PBXes. It's not uncommon for voip providers to use Asterisk on their end.
I'm not a huge fan of the SIP/RTP protocol itself, since it makes a lot of assumptions on a user's connectivity (it's difficult to setup on a dynamic ip and without forwarding lots of ports on the router). It turns out many of the newer netgear home routers (such as WNR3500) have a sip bug which corrupts otherwise valid sip packets. I've been waiting 1.5 years for a fix which doesn't involve recompiling the clients.
In short, unfortunately SIP is problematic for adhoc mobile users or users who don't want to mess with their routers.
For this reason, asterisk developed their own protocol IAX, which is also pretty common and solves all the NAT problems on the router.
Once any of these are up and running, I doubt any users could tell the difference.
The analogue hole
With any VOIP (or any audio service) it doesn't matter how secure your encryption is, as h4rm0ny points out, it's much, much easier to just plant a bug/trojan in the handset/laptop to pick up the unencrypted audio.
Now, if only there was something like an end-to-end encrypted babel-fish that could live in my ear....
Or your keyboard...
When was the last time you checked inside your keyboard for any unauthorised wireless "enhancements"?
It's not a proper use of encryption
"Even if independent research proves that the proprietary RC4 algorithm has been exposed it doesn't follow that Skype is open to eavesdroppers, not least because the service uses a variety of encryption techniques."
Encryption ciphers only work when the attacker cannot access either endpoint. If either side is compromised, then game over, the encryption cannot function as designed. It ought to be well known that ciphers, including AES, are clearly vulnerable to attacks against hard/software implementations under hacker control.
It's for this reason that DVDs and other DRM cannot work in the long run. The fact that the user's device needs the decryption keys to function, implies that the user could extract those keys and break the DRM.
Skype is no different, it's security is implicitly flawed even without breaking the underlying AES algorithm. The obfuscation servers merely to discourage users from running open source versions of skype's protocol.
I got a chuckle out of this one. According to the article, Sean O'Neil "criticised Skype for practising "security by obscurity" in keeping its algorithm secret for so long."
Let's see, keep the algorithm secret therefore preventing people from breaking it (thus ensuring your system is more secure) or open it to the public and and make it a lot easier for people to crack it and spam your system?
Um, what am I missing here?
Keeping an algorithm secret doesn't make it secure.
For example, an algorithm that simply ROT13's the data could be kept secret - but it would still be insecure.
The algorithms behind SSL 3.0 are public, and several implementations are open-source.
Having that algorithm doesn't make it easier to break.
- With open-source the argument is that a flaw is much more likely to be pointed out by someone, and hence get fixed.
So it can be argued that secrecy makes it less secure, because the strength of the encryption is not related to the secrecy of the algorithm, but instead the algorithm itself and the specific implementation of that algorithm.
The fail is for you
It has been long proven that knowing an encryption algorithm is not equal to being able to decrypt a message encrypted by said algorithm (cf RSA).
Of course, that supposes that the algorithm is actually efficient and not subject to backdoors or other failures that make cracking it easier.
So yes, if your algorithm is good, publishing it ensures that everyone can see just how good it is.
Security by obscurity is only good for crooks and the simple-minded morons who can't write good code.
Security through obscurity is no security at all.
However, good security PLUS obscurity is always worth writing home about.
"Um, what am I missing here?"
That's a fair question.
Most non-peer reviewed algorithms don't stand a change against a serious attack.
In skype's case, at least they know to use AES instead of some in house algorithm.
The AES algorithm is really what protects the transmission from interceptions. Hopefully they also use proper key generation and exchange algorithms as well.
The obfuscation in the client is designed to protect skype's code from outside analysis, and (hopefully) not intended to protect user data. If the protection of user data were dependent on weak obfuscation (which in skype's case has been broken multiple times already), then all skype calls would be unprotected right now.
It seems to me that the intent of skype's obfuscation is to discourage open source client implementations.
Encryption works because it is mathematically very difficult to decipher. An encryption algorithm which is strong enough to survive public scrutiny is better than one which relies on keeping secrets from leaking.
Security by obscurity is so 1980's and it didn't work well even then.
"Let's see, keep the algorithm secret therefore preventing people from breaking it (thus ensuring your system is more secure) or open it to the public and and make it a lot easier for people to crack it and spam your system?
Um, what am I missing here?"
Secure algorithm can be posted to every lamppost and it's still secure. It's not any easier to crack it even if you know the algorithm. That's the whole point of secure algorithms: You only need to keep (private) key secret : Everything else is public.
That's the point you are missing and, obviously, Skype too.
Security by obscurity is so 1980's and it didn't work well even then.
Abuse of monpoly is a crime, isn't it?
"The obfuscation in the client is designed to protect skype's code from outside analysis, and (hopefully) not intended to protect user data."
I'd say it's there to keep competition off, ie. monopoly.
Unfair abuse of monopoly status is, as far as I know, a crime.
...protecting trade secrets is not. A monoply is one supplier; many users. Nobody is preventing anybody from using security protocols and algorithms. If Skype had the only security protocol then there might be a monopoly. But protecting your trade secrets within a class of property has never been construed to be monopolistic in any court. If fact, people have gone to prison for dealing in trade secrets.
The term monopoly gets thrown around an awful lot. But few people seem to actually understand what it is and what it's not.
Good, standard crypto isn't easily broken, and if it was designed properly, then just breaking one part of it wouldn't expose the rest of the system to hacking. Of course Skype is P2P, so that means at least one shared key or methodology is needed to access at least one part of the greater system, and now it's apparently been cracked.
I'm looking forward to a decent open source Skype client. Their software is absolutely dire from a UX perspective, and they haven't updated their shitty broken Linux client in ages. I wish this guy well. Wasn't there also a reward posted by the CIA/DARPA or some other agency for breaking this?
"Let's see, keep the algorithm secret therefore preventing people from breaking it (thus ensuring your system is more secure) or open it to the public and and make it a lot easier for people to crack it and spam your system?"
You appear to know nothing of modern views on how to develop secure cryptography. On the assumption you're not a troll let me explain.
Obscurity means *no* peer review to find potentially *fatal* and *obvious* (to people who do this for a living) errors in the algorithm (EG faults which knock the potential range of output for any given input from a range bigger than the length of the universe to something crackable in less than an hour on a desktop PC). Peer review of the algorithms protecting GSM phone calls would probably stopped the first 2 versions used from *ever* being launched.
AFAIK the number of white hats in this area outnumbers the black hats. For peer review to fail you would need.
*No* white hat to spot the flaw and tell you.
A black hat to spot the flaw.
Black hat to develop exploit or sell on the knowledge of it to someone who will.
OTOH with SbyO you gamble *your* developers are state of the art WRT to some fairly obscure areas of maths and logic and *remain* so to warn you when the algorithm is vulnerable.
Your still left with key generation and key distribution issues (unless you use some kind of public key system) but you have a high degree of confidence in your algorithm that it does not have flaws which will effectively shorten the key length and hence the output space to search.
Security by obscurity worked *so* well for the "Charliecard" mass transit smart card and the Ti and Arizona Semi car remote locking chips. Both mass market, both broken and both fixable in design *had( their designers know something about design principles around cryptographic systems (randomness is *good* . Seeding a random number generator by the time a machine is switched on in the morning is *bad*) or put the planned algorithm out there for people to look at.
SbyO is a *key* part of the "perfect storm" of security fail.
Mass deployment x Vital function (life threatening) x *very* secretive and possessive company x secret algorithm (with *glaringly* obvious flaws) = disaster
BTW Weren't software patents meant to *enable* companies to disclose their brain children safe in the knowledge that others could not use it?
Now you were saying about why SbyO is a good idea....
Re: @Criminnny Rickets
John Smith 19 wrote: You appear to know nothing of modern views on how to develop secure cryptography. On the assumption you're not a troll let me explain.
You are correct, I am not a troll. I do thank you and the others that have responded for the information and replies to my comment. You make some very good points that I had not considered.
I had actually forgotten about the "Charliecard" fiasco.
John Smith 19 wrote: Now you were saying about why SbyO is a good idea..
I stand corrected. :)
Well said, Criminny Rickets
Admission of one's ignorance is the greatest step to wisdom. Not many people these days have the guts to admit they are wrong, so it's refreshing to see someone intelligent enough to overcome pride by showing a willingness to learn. There are quite a few El Reg commentards here who would do well to learn by your example.
A brief visit to Wikipedia will confirm the likelihood of what I suspect: that the use of RC4 - a algorithm with KNOWN theoretical security flaws and a proprietary nature - was due most probably to export restrictions on key lengths of better algorithms, such as the AES-256 used in every other part of Skype but the client software. You must remember that Skype was designed in the late 90's, when crypto controls were more strict than they currently are.
So - SbyO is a perfectly valid idea, if hard crypto is closed as a design to you by legislation...
Not a problem. Lack of knowledge can always be fixed.
I'll look forward to you answering questions I ask about subjects I know little about.
obscurity is to security
Obscurity is to security what camouflage is to armor.
what kind of remedies?
I'm not an expert on law, but I'm pretty good with causality. "We are considering our legal remedies" is not how things work. Suing someone doesn't remedy a problem like this, it just demonstrates skype's misunderstanding of what security means. If not O'Neal, then someone else, and as always, if it's someone who stands to gain from it, he or she won't be doing talks about it and publishing papers. They'll use it to make money from somewhere in Russia or China.
What is the problem?
Skype took an idea that was well-known - voip - and created a version of it with their own encryption. The idea was to give them a degree of control over what was, essentially, a profit stream.
I see nothing wrong with that at all. They never claimed to be unique, just easy to use. sip and all the other systems are still out there. No-one was forced to deal with them. They were selling simplicity, and protecting their investment. Seems sensible to me.
So why is it Ok for this chap to publish details of their protection system? Sounds like someone publishing the profile of my front door key.
No pity for you.
"So why is it Ok for this chap to publish details of their protection system? Sounds like someone publishing the profile of my front door key."
When you go around and tell everyone that you sell locks that are unbreakable and make a lot of money from that, even when you know that they aren't, you are a liar and profiting from it: It's for common good to you to be exposed what you are: a liar. Even it harms you: But hey, who made you tell lies in the first place? Greedy, eh?
No pity for you.
OK, fair remark. But did skype ever prmise the lock was unbreakable? or just to connect you to yer missus over the internet?
"So why is it Ok for this chap to publish details of their protection system? Sounds like someone publishing the profile of my front door key."
It's more like covering up the lock on your front door with a piece of masking tape and publicly telling everyone that you've done so, then getting uppity when someone peels back that piece of masking tape and says, 'hey, that guy has a chubb lock'.
AFAIK, the private keys have not been compromised in any way.
Front door analogy
Nonononono! What he precisely hasn't done is published anybody's *key*.
It's as if he's taken his own front door lock to bits and described the pins, tumblers and levers which he found. So, you might argue this helps burglars break your lock, but believe me burglars will take their own locks to bits if it helps.
Without this sort of research, companies get either (a) lazy or (b) evil, knowing they won't be caught out.
If it turned out your front door lock insides were made of cheese, or could be opened by any employee of Locks'R'Us, would you want to know?
"If it turned out your front door lock insides were made of cheese, or could be opened by any employee of Locks'R'Us, would you want to know?"
You mean, you think they aren't, and they can't? Most people's front door locks are quite easily picked by someone with the knowledge and a bit of practice, and if their lock isn't trivially forceable, then their door or frame is.
Also if you fit the reinforced steel door and frame with the umpteen lever multipoint lock mechanism, methinks you'll just attract the attention of a different class of robber. The sort that breaks in through your wall! Back when computers were very expensive, that's exactly what happened to a server room I know of.
With Skype knowing enough to use AES for their heavy-lifting servers, is their some sort of export restriction on AES-256 that would cause them to fall-back to RC4 for the client encryption?
If I have it right, the international 1996 Wassernaar agreement stipulated a limit of 56 character keys for symmetric cyphers for export, such as AES. The use of AES-256 in the client would have exceeded that limit, and prevented export/download of the software to many countries. Therefore, the use of RC4 WOULD make sense, actually - ensuring that they could have a client downloadable from China, Iran, etc., with no crypto export issues to worry about, while preserving the use of AES-256 for their servers, which would be located in localities where export restrictions were not in place.
If so, that is not "security via obscurity", it is taking the lemons of crypto export restrictions and trying to make lemonade...
I thought that export restriction was lifted in the late 90s when someone printed out the code, took it on a plane and re-entered it in a.n.other country. When IE finally got to use full 128 bit SSL instead of the 56 bit allowed outside the US. Or are there still restrictions to the likes of Pakistan, Iran etc?
Does he collect the billion dollar NSA reward? http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/
There are plenty of alternatives. I mostly prefer PC->PC contact in any case, but a brother is using them to maintain contact from Asia. He's become a little weary of security alerts from me I think, and I sometimes think that the average computer user has a similar attitude. Whenever software becomes popular (Skype, MS Office/Word) it will be the subject of attacks, for a cluster of obvious resons.
"Obscurity is to security what camouflage is to armor."
Exactly. I'm sick of hearing the "security through obscurity is no security at all" mantra, quoted by all and sundry here and elsewhere. I know the mantra (and have known it since I read Kahn 30 plus years ago). I just don't believe it. At least, I certainly don't believe it's ALL there is to security, which all the amateur securty pundits would have you believe if you listen to them.
If armor is the only thing that matters, how come you don't see more solidiers going round with day-glo neon uniforms and a badge that says "aim here suckers, you can't hurt us because we're wearing armour"?
I'm not a troll. I'm just fed up of hearing people who have read one blog post about encryption and now think they're an expert in the field all parroting the same thing.
I'd guess that a major proportion of the people using Skype don't have any anti-virus or >64 bit WEP security on their router, so this news is probably the least of their worries.
"If armor is the only thing that matters, how come you don't see more solidiers going round with day-glo neon uniforms and a badge that says "aim here suckers, you can't hurt us because we're wearing armour"?"
Because they haven't invented the SFnal heavy grade nuke-proof force field yet, and because of the laws of physics. An infantryman's armour will increase his survival chances if a bullet hits his torso. A tank will resist some impacts of some less-good armour-piercing shells. Neither are invulnerable, so they'd prefer not to be targeted in the first place.
IT geeks do, in effect, advertise in this way, whenever and wherever they use mathematically secured channels. Attacks, such as have succeeded, are on the joins in the armour (implementation bugs and interface or hardware flaws). The underlying maths is the equivalent of the force field, currently believed to be invulnerable. Please note, not yet provably so!
ObSF: "Antibodies", Charles Stross.
If I wanted to communicate securely, I wouldn't use Skype anyhow. There are a number of open source voip programs that implement strong and well-documented encryption, if that is what you need.
At any rate, Skype still provides better security than a landline phone. And I can't remember anyone complaining about those being eavesdropped.
So what's all the fuss about?
Re: Camouflage is to armour
Camouflage is to armour what steganography is to cryptography.
The kind of obscurity that Skype is relying on has nothing to do with steganography though.
What they are doing is more like bluffing the enemy with cardboard soldier silhouettes. Or rather, multiple enemies. It's still better than nothing at all, but it's a very shaky tactic to rely on.