26
SKYPE Security R93921103 李延信 R93944008 謝雅超 R93922076 傅怡聖 R93922077 王建智

SKYPE Security - 國立臺灣大學acpang/course/voip_2005... · 2005-05-17 · SKYPE Security R93921103 李延信 R93944008 謝雅超 R93922076 傅怡聖 R93922077 王建智

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

  • SKYPE Security

    R93921103 李延信R93944008 謝雅超R93922076 傅怡聖R93922077 王建智

  • Outline

    IntroductionSecurity issues– Privacy– Authenticity– Survivability– Resilience– Integrity (for conversation & system)

    Conclusion

  • Introduction

    Skype is a VoIP System besed on peer-to-peer technologySkype’s entrepreneurs is the same as KaZaA, the file trading system Unlike KaZaA, Skype is currently free of adware and spyware

  • Skype vs ISDN

    ISDN: a digital telephony systemDifference– Network– Security– Fee– Additional functions

  • Skype Security Issue

    PrivacyAuthenticitySurvivabilityResilienceIntegrity (for conversation & system)

  • Privacy

    Skype used 256-bit AES as encryption algorithmSkype used RSA encryption algorithm for key generationSkype does not publish its key generation algorithm, and other detail about its security implementations.

  • Advanced Encryption Standard algorithm

    By NIST( National Institute of Standards and Technology )AES-128AES-192AES-256

  • Advanced Encryption Standard algorithm

  • RSA

    By NIST( National Institute of Standards and Technology )A secret key can be generated by two selected large prime numbersThe product of the two large prime numbers will be used as the public keyKnowing the public key does not allow one to easily derive the associated private key

  • Privacy (cont.)

    Even if Skype does use encryption, there still exists several problem:– Access to encryption keys– Skype Client will save the conversation

    defaultly– Supernode may monitor the voice traffic

    moving through it. – Telephone calls are decrypted to PSTN

    network through SKYPE gateway– The traffic path is not safe

  • Skype client

    Internet

    Skype out

    PSTNencrypteddecrypted

  • Skype client

    Skype ClientInterceptor

  • VPN

    Skype Client

    Skype Client

  • Privacy (cont.)

    It’s apparently that Skype gathers statistics from every call made by every Skypeapplication client.– We now have to worry not only the outer

    hacker, but also the Skype itself

  • Privacy (cont.)

    An attack of Speech intercept– Intercept speech itself but the encrypted

    speech data traffic– Sub7, or Netbus

    • Directly control the microphone of the end user– Skype didn’t provide any protection of trojan

    detection. – With the popularity of VoIP applications, there

    will emerge more advanced trojans targeted at VoIP end-users

  • Privacy (cont.)

    Skype provide better security than most VoIP system and PSTN.– Just because most VoIP system and PSTN do

    not provide any encryption function.– Skype only provide poor privacy

  • Authenticity

    Skype use Email-based Identification and AuthenticationSkype provides similar levels of authentication as MSN or AOLNo special method to protect authenticity

  • Authenticity (cont.)

    The attack type:– Fake user– Fake callee– Fake valid authentication

  • How to be a bad seed

    Prepare some well-equipped computers (better cpu, large ram ,and large bandwidth) and wait

  • Bad seedNormal supernode

    Real Authentication

    ServerFake Authentication

    Server

  • Survivability

    The ability of a system to continue to operate after it has been degraded– The traditional telephony system has poor

    survivability. – Due to the characteristic of Network, Skype

    has Survivability naturally– On the other hand, if the key node fail in

    Skype, the voice traffic will also be effected severely

    • Ex: Skype’s authentication servers

  • Resilience

    Internet connections in many cases can be restored more quickly than traditional telephone.– Better robustness ?– The traditional PSTN network rarely failed.

  • Integrity

    Skype’s voice quality only suffers considerably in 802.11 wireless networkSkype’s load is not heavy, even when Skype client is chose to be supernodes

  • Conclusion

    Any organization using Skype should face the difficulty of managing the member of its network.– Hard to confine the Skype application only in

    the LAN– The choose of supernodes is decided by

    Skype back-end servers or external supernodes, not the organization itself

    – Also hard to block the inner user to use Skype• Skype can work even there is only port 80

  • Conclusion (cont.)

    The security mechanism isn’t well designed.– Lack of link-encryption and key-exchange– The authentication security is poor– Trojan or spyware may easily control the microphone,

    and it is hard to prevent because of the high traversal ability provided by skype

    – Also because of the traversal ability, the common anti-virus mechanism, such as firewall or in-time virus scan is useless.

  • Conclusion (cont.)

    The skype itself may not be safe– It’s not open-source program– It’s possible that Skype is hiding something in

    the code that may be used for trojan or spyware

    • Remember the spwares in Kazaa. Some of the people behind Kazaa are also behind Skype