Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
SKYPE Security
R93921103 李延信R93944008 謝雅超R93922076 傅怡聖R93922077 王建智
Outline
IntroductionSecurity issues– Privacy– Authenticity– Survivability– Resilience– Integrity (for conversation & system)
Conclusion
Introduction
Skype is a VoIP System besed on peer-to-peer technologySkype’s entrepreneurs is the same as KaZaA, the file trading system Unlike KaZaA, Skype is currently free of adware and spyware
Skype vs ISDN
ISDN: a digital telephony systemDifference– Network– Security– Fee– Additional functions
Skype Security Issue
PrivacyAuthenticitySurvivabilityResilienceIntegrity (for conversation & system)
Privacy
Skype used 256-bit AES as encryption algorithmSkype used RSA encryption algorithm for key generationSkype does not publish its key generation algorithm, and other detail about its security implementations.
Advanced Encryption Standard algorithm
By NIST( National Institute of Standards and Technology )AES-128AES-192AES-256
Advanced Encryption Standard algorithm
RSA
By NIST( National Institute of Standards and Technology )A secret key can be generated by two selected large prime numbersThe product of the two large prime numbers will be used as the public keyKnowing the public key does not allow one to easily derive the associated private key
Privacy (cont.)
Even if Skype does use encryption, there still exists several problem:– Access to encryption keys– Skype Client will save the conversation
defaultly– Supernode may monitor the voice traffic
moving through it. – Telephone calls are decrypted to PSTN
network through SKYPE gateway– The traffic path is not safe
Skype client
Internet
Skype out
PSTNencrypteddecrypted
Skype client
Skype ClientInterceptor
VPN
Skype Client
Skype Client
Privacy (cont.)
It’s apparently that Skype gathers statistics from every call made by every Skypeapplication client.– We now have to worry not only the outer
hacker, but also the Skype itself
Privacy (cont.)
An attack of Speech intercept– Intercept speech itself but the encrypted
speech data traffic– Sub7, or Netbus
• Directly control the microphone of the end user– Skype didn’t provide any protection of trojan
detection. – With the popularity of VoIP applications, there
will emerge more advanced trojans targeted at VoIP end-users
Privacy (cont.)
Skype provide better security than most VoIP system and PSTN.– Just because most VoIP system and PSTN do
not provide any encryption function.– Skype only provide poor privacy
Authenticity
Skype use Email-based Identification and AuthenticationSkype provides similar levels of authentication as MSN or AOLNo special method to protect authenticity
Authenticity (cont.)
The attack type:– Fake user– Fake callee– Fake valid authentication
How to be a bad seed
Prepare some well-equipped computers (better cpu, large ram ,and large bandwidth) and wait
Bad seedNormal supernode
Real Authentication
ServerFake Authentication
Server
Survivability
The ability of a system to continue to operate after it has been degraded– The traditional telephony system has poor
survivability. – Due to the characteristic of Network, Skype
has Survivability naturally– On the other hand, if the key node fail in
Skype, the voice traffic will also be effected severely
• Ex: Skype’s authentication servers
Resilience
Internet connections in many cases can be restored more quickly than traditional telephone.– Better robustness ?– The traditional PSTN network rarely failed.
Integrity
Skype’s voice quality only suffers considerably in 802.11 wireless networkSkype’s load is not heavy, even when Skype client is chose to be supernodes
Conclusion
Any organization using Skype should face the difficulty of managing the member of its network.– Hard to confine the Skype application only in
the LAN– The choose of supernodes is decided by
Skype back-end servers or external supernodes, not the organization itself
– Also hard to block the inner user to use Skype• Skype can work even there is only port 80
Conclusion (cont.)
The security mechanism isn’t well designed.– Lack of link-encryption and key-exchange– The authentication security is poor– Trojan or spyware may easily control the microphone,
and it is hard to prevent because of the high traversal ability provided by skype
– Also because of the traversal ability, the common anti-virus mechanism, such as firewall or in-time virus scan is useless.
Conclusion (cont.)
The skype itself may not be safe– It’s not open-source program– It’s possible that Skype is hiding something in
the code that may be used for trojan or spyware
• Remember the spwares in Kazaa. Some of the people behind Kazaa are also behind Skype