Skype’s encryption
If you haven’t heard about Skype, go check it out. Skype is a PC< -->PC and PC< -->POTS VoIP application.
In their web site, they claim that all their calls are encrypted:
Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.
This quote really makes sense to an encryption expert. If:
- I am to trust what Skype say here
- Skype actually implemented what they say they did
- Skype’s implementation is correct
- Skype’s implementation is bug free
then this encryption is pretty good considering today’s standards.
But there’s no way for me to know. Skype, being closed-source, won’t let me look at their encryption code. As far as I know they might not be encrypting at all, or might doing so in a way that is vulnerable. I have absolutely no way to verify that their encryption is worth anything. For all intents and purposes, my Skype call is considered clear-text, because for all I know it might as well be so.
It all comes back to Trust. If you trust Skype, you can accept that your calls are encrypted. If you don’t (and frankly I have no reason to trust them) you cannot treat Skype conversations as encrypted.
Update October 22nd:
In a strange coincidence, Skype just came out with this blog entry about an outside review of their system.
While this is laudable, I cannot see how this improves the security of their system. For all we know, the evaluation may be accurate for the piece of source code analyzed - but we know absolutely nothing on the security of the piece of binary that runs on our system. We can’t look into its code, nor can we do black-box testing with an interoperable client. We need to take them on their word that the security evaluation actually relates to the code running on my computer. We still need to trust Skype that this holds true.
[…] [Originally posted in my blog — Arik] […]
Pingback by SecuriTeam Blogs » Skype’s encryption — October 12th, 2005 @ 12:34 amGood post. I wonder what I’d do in their place.
I actually can’t think of very good reasons not to open their code.
People place so much importance in one’s source code as Intellectual property,
when in fact there is far more important Intellectual property to protect.
The PR advantages of opening your code are huge, not to mention you end up with
a better product.
Still, it’s a tough call. You never know what can happen when you take this leap of faith
Comment by Noam — November 7th, 2005 @ 10:11 amWell, if they open their code, a competitor can use it to build an alternative Skype, and serve phone calls for lower rates.
Comment by arikb — November 7th, 2005 @ 10:15 amThat is a fairly small concern.
First, there is a difference between revealing code and putting it under the GPL license. Just revealing your code does not grant anyone the right to use it for their own commercial purposes. You can argue that someone can use their code without them being able to prove it.
This brings me to the second point:
The source code is a very small piece of what is needed to compete with Skype.
The infrastructure and brand are far harder to establish than the sorce code.
Not to mention opening up your source code strengthens your brand, and if someone
steals it, they can’t open it up as well.
There is a lot of effort involved in “stealing code”. You have to learn how it works, change it sufficiently so that it does not resemble the original software, and they you have to other keep maitaining it yourself to stay competitive or to steal every update and modify it to your interface. You may end up spending more time/money than you would writing it yourself or outsourcing to India. When you want to compete with an existing product with the clone strategy (Same product, lower price) - outsourcing is a lot more effective because you don’t need 50 product and project managers overseeing the operation. You just hire a software firm in India, tell them to develop a “Skype” clone, send a wire transfer for $50K and wait (Ok, so it’s not that easy, but point made).
Comment by Noam — November 9th, 2005 @ 12:42 pmI agree, except for the part of the infrastructure: Skype has a fairly small infrastructure. They rely on the P2P network itself to provide the PC-PC calls, they have zero investment in infrastracture on that part. Their only infrastructure is their registration server (bah) and their SkypeOut / SkypeIn / Voicemail deals.
Comment by arikb — November 10th, 2005 @ 2:24 amWhat about the VOIP > Landline infrastructure that they have all over the world to deal with a lot of SkypeOut traffic.
Comment by Noam — November 14th, 2005 @ 10:39 pmActually, it’s easier than you think. There are companies that supply this service for you, you just need to sign up with one. A nice list exists in:
http://www.voip-info.org/wiki/view/VOIP+Service+Providers+B2B
Some examples:
http://www.terravon.com/termination.html
Comment by arikb — November 15th, 2005 @ 3:36 amhttp://www.terravon.com/asterisk.html
Hey Arik,
Or you can just give me a call and I’ll hook up your X-Lite/X-Pro to my Asterisk and let you
pass calls. I have a better idea, if you want encryption, install an Asterisk box at your end,
we’ll RSA and everything via IAX back to my box and then I’ll let you make the calls. How about
that?
You know the number dude, just use it …
Nir Simionovich
Comment by Nir Simionovich — December 24th, 2005 @ 3:21 pmhttp://www.net-gurus.net
Hey Nir
I’d love to hook up to your asterisk. I’m calling your cell.
However, not everyone have a friend with an Asterix around :-)
– Arik
Comment by arikb — December 24th, 2005 @ 4:44 pmBut don’t you need trust in opensource code as well? I mean, you’re probably using linux, and I don’t think you’ve audited all the code there to make sure there are no security vulnerabilities. In fact when some researchers did that for the random numbers, they discovered that the code didn’t provide much help…This refers you to the article reporting of researchers
Comment by E. Leibovich — July 14th, 2006 @ 9:12 amHello E
Yes, you need trust in open source as well, and no I haven’t personally audited all of the code in every OS that I write. I don’t claim that open source is inherantly more secure.
In fact this is not an open-source-is-better post.
All I’m saying is that Skype, not being open-source, cannot claim to have those properties that it has and have them verified. You have to take them on their word.
An open source product can be more easily verified. Not necessarily by me. In closed source it’s much harder, although some folks actually did reverse engineer Skype and wrote a paper about it. Moreover, even this paper is only good for the specific Skype version tested, a newer version may be more or less secure and we’ll be none the wiser. Obviously it took these guys quite a while to write this paper, and they have to do it again for a newer version. If they had the source they could just diff(1) it. Yes, I’m changing my original claim in this post, it can actually be verified if you’re determined enough.
– Arik
Comment by arikb — July 14th, 2006 @ 11:10 am