SKYPE Security

R93921103 李延信R93944008 謝雅超R93922076 傅怡聖R93922077 王建智

Outline

IntroductionSecurity issues– Privacy– Authenticity– Survivability– Resilience– Integrity (for conversation & system)

Conclusion

Introduction

Skype is a VoIP System besed on peer-to-peer technologySkype’s entrepreneurs is the same as KaZaA, the file trading system Unlike KaZaA, Skype is currently free of adware and spyware

Skype vs ISDN

ISDN: a digital telephony systemDifference– Network– Security– Fee– Additional functions

Skype Security Issue

PrivacyAuthenticitySurvivabilityResilienceIntegrity (for conversation & system)

Privacy

Skype used 256-bit AES as encryption algorithmSkype used RSA encryption algorithm for key generationSkype does not publish its key generation algorithm, and other detail about its security implementations.

Advanced Encryption Standard algorithm

By NIST( National Institute of Standards and Technology )AES-128AES-192AES-256

Advanced Encryption Standard algorithm

RSA

By NIST( National Institute of Standards and Technology )A secret key can be generated by two selected large prime numbersThe product of the two large prime numbers will be used as the public keyKnowing the public key does not allow one to easily derive the associated private key

Privacy (cont.)

Even if Skype does use encryption, there still exists several problem:– Access to encryption keys– Skype Client will save the conversation

defaultly– Supernode may monitor the voice traffic

moving through it. – Telephone calls are decrypted to PSTN

network through SKYPE gateway– The traffic path is not safe

Skype client

Internet

Skype out

PSTNencrypteddecrypted

Skype client

Skype ClientInterceptor

VPN

Skype Client

Skype Client

Privacy (cont.)

It’s apparently that Skype gathers statistics from every call made by every Skypeapplication client.– We now have to worry not only the outer

hacker, but also the Skype itself

Privacy (cont.)

An attack of Speech intercept– Intercept speech itself but the encrypted

speech data traffic– Sub7, or Netbus

• Directly control the microphone of the end user– Skype didn’t provide any protection of trojan

detection. – With the popularity of VoIP applications, there

will emerge more advanced trojans targeted at VoIP end-users

Privacy (cont.)

Skype provide better security than most VoIP system and PSTN.– Just because most VoIP system and PSTN do

not provide any encryption function.– Skype only provide poor privacy

Authenticity

Skype use Email-based Identification and AuthenticationSkype provides similar levels of authentication as MSN or AOLNo special method to protect authenticity

Authenticity (cont.)

The attack type:– Fake user– Fake callee– Fake valid authentication

How to be a bad seed

Prepare some well-equipped computers (better cpu, large ram ,and large bandwidth) and wait

Bad seedNormal supernode

Real Authentication

ServerFake Authentication

Server

Survivability

The ability of a system to continue to operate after it has been degraded– The traditional telephony system has poor

survivability. – Due to the characteristic of Network, Skype

has Survivability naturally– On the other hand, if the key node fail in

Skype, the voice traffic will also be effected severely

• Ex: Skype’s authentication servers

Resilience

Internet connections in many cases can be restored more quickly than traditional telephone.– Better robustness ?– The traditional PSTN network rarely failed.

Integrity

Skype’s voice quality only suffers considerably in 802.11 wireless networkSkype’s load is not heavy, even when Skype client is chose to be supernodes

Conclusion

Any organization using Skype should face the difficulty of managing the member of its network.– Hard to confine the Skype application only in

the LAN– The choose of supernodes is decided by

Skype back-end servers or external supernodes, not the organization itself

– Also hard to block the inner user to use Skype• Skype can work even there is only port 80

Conclusion (cont.)

The security mechanism isn’t well designed.– Lack of link-encryption and key-exchange– The authentication security is poor– Trojan or spyware may easily control the microphone,

and it is hard to prevent because of the high traversal ability provided by skype

– Also because of the traversal ability, the common anti-virus mechanism, such as firewall or in-time virus scan is useless.

Conclusion (cont.)

The skype itself may not be safe– It’s not open-source program– It’s possible that Skype is hiding something in

the code that may be used for trojan or spyware

• Remember the spwares in Kazaa. Some of the people behind Kazaa are also behind Skype