Skype security explained

Skype is a Voice over Internet Protocol (VoIP) system developed by Skype Technologies S.A. It is a peer-to-peer network where voice calls pass over the Internet rather than through a special-purpose network. Skype users can search for other users and send them messages.[1]

Skype reports that it uses 256 bit Advanced Encryption Standard (AES)/ Rijnadel encryption to communicate between Skype clients; although when calling a telephone or mobile, the part of the call over the public switched telephone network (PSTN) is not encrypted.[2] [3] User public keys are certified by the Skype server at login with 1536-bit or 2048-bit RSA certificates. Skype's encryption is inherent in the Skype Protocol and is transparent to callers. Some private conversations through Skype such as audio calls, text messages, and file sending (image, audio, or video) can make use of end-to-end encryption, but it may have to be manually turned on.[4]

Security policy

The company's security policy states that:

  1. Usernames are unique.
  2. Callers must present a username and password or another authentication credential.
  3. Each caller provides the other with proof of identity and privileges whenever a session is established. Each verifies the other's evidence before the session can carry messages.
  4. Messages transmitted between Skype users (with no PSTN users included) are encrypted from caller to caller.[2] No intermediate node (router) has access to the meaning of these messages. This claim was undermined in May 2013 by evidence that Microsoft (owner of Skype) has pinged unique URLs embedded in a Skype conversation;[5] [6] this could only happen if Microsoft has access to the unencrypted form of these messages.

Implementation and protocols

Registration

Skype holds registration information both on the caller's computer and on a Skype server. Skype uses this information to authenticate call recipients and assure that callers seeking authentication access a Skype server rather than an impostor. Skype says that it uses public-key encryption as defined by RSA to accomplish this.

The Skype server has a private key and distributes that key's public counterpart with every copy of the software. As part of user registration, the user selects a desired username and password. Skype locally generates public and private keys. The private key and a password hash are stored on the user's computer.

Then a 256-bit AES-encrypted session is established with the Skype server. The client creates a session key using its random number generator.

The Skype server verifies that the selected username is unique and follows Skype's naming rules. The server stores the username and a hash of the user's password [H (H (P)) ] in its database.

The server now forms and signs an identity certificate for the username that binds the username, verification key, and key identifier.

Peer-to-peer key agreement

For each call, Skype creates a session with a 256-bit session key. This session exists as long as communication continues and for a fixed time afterward. Skype securely transmits the session key to the call recipient as part of connecting a call. That session key is then used to encrypt messages in both directions.

Session cryptography

Session cryptography

All traffic in a session is encrypted using the AES algorithm running in Integer Counter Mode (ICM). Skype encrypts the current counter and salt with the session key using the 256 bit AES algorithm. This algorithm returns the keystream, then XORed with the message content. Skype sessions contain multiple streams. The ICM counter depends on the stream and the location within the stream.

Random number generation

Skype uses random numbers for several cryptographic purposes. Purposes include protection against playback attacks, creation of RSA key pairs, and creation of AES key-halves for content encryption. The security of a Skype peer-to-peer session depends significantly on the quality of the random numbers generated by both ends of the Skype session. Random number generation varies by the operating system.[7]

Cryptographic primitives

Skype uses standard cryptographic primitives to achieve its security goals. The cryptographic primitives used in Skype are the AES block cipher, the RSA public-key cryptosystem, the ISO 9796-2 signature padding scheme, the SHA-1 hash function, and the RC4 stream cipher.

Key agreement protocol

Key-agreement is achieved using a proprietary, symmetric protocol. To protect against a playback attack, the peers challenge each other with random 64-bit nonces. The challenge response is to customize the challenge in a proprietary way and returned it signed with the responder's private key.

The peers exchange Identity Certificates and confirm that these certificates are legitimate. Because an Identity Certificate contains a public key, each end can then confirm signatures created by the other peer. Each peer contributes 128 random bits to the 256-bit session key.

Automatic updates

Another security risk are automatic updates, which cannot be disabled from version 5.6 on,[8] [9] both on Mac OS and Windows branches, although in the latter, and only from version 5.9 on, automatic updating can be turned off in certain cases.[10]

Eavesdropping by design

Chinese, Russian and United States law enforcement agencies have the ability to eavesdrop on Skype conversations and to have access to Skype users' geographic locations. In many cases, a simple request for information is sufficient, with no court approval needed. This ability was deliberately added by Microsoft for law enforcement agencies around the world after they purchased Skype in 2011. This is implemented by switching the Skype client for a particular user account from the client-side encryption to the server-side encryption, allowing dissemination of an unencrypted data stream.[11] [12] [13]

Actual and potential flaws

While Skype encrypts users' sessions, other traffic, including call initiation, can be monitored by unauthorized parties.

The other side of security is whether Skype imposes risk on its users' computers and networks. In October 2005 a pair of security flaws were discovered and patched. Those flaws made it possible for hackers to run hostile code on computers running vulnerable versions of Skype. The first security bug affected only Microsoft Windows computers. It allowed the attacker to use a buffer overflow to crash the system or to force it to execute arbitrary code. The attacker could provide a malformed URL using the Skype URI format, and lure the user to request it to execute the attack. The second security bug affected all platforms; it used a heap-based buffer overflow to make the system vulnerable.

Issues, including several potentially affecting security, include:

External links

Notes and References

  1. Book: Jill Savege Scharff. Psychoanalysis Online: Mental Health, Teletherapy, and Training. 2013. Karnac Books. 978-1-78049-154-7. 183.
  2. Web site: . . Does Skype use encryption? . 12 July 2022 . Skype Support.
  3. Web site: National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information . Lynn Hathaway . June 2003 . 2008-11-02 . https://web.archive.org/web/20080528105849/http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf . 2008-05-28.
  4. Web site: What are Skype Private Conversations? Skype Support. 2022-01-26. support.skype.com. en.
  5. Web site: Microsoft is reading Skype messages. 22 May 2013 .
  6. Web site: Goodin . Dan . 2013-05-20 . Think your Skype messages get end-to-end encryption? Think again . 2022-07-13 . Ars Technica . en-us.
  7. http://www1.cs.columbia.edu/~salman/skype/skype2.pdf Vanilla Skype an overview of skype clients and protocols
  8. Web site: Skype 5.6 for Mac. dead. https://web.archive.org/web/20120406192256/http://blogs.skype.com/garage/2012/03/skype_56_for_mac.html. 2012-04-06.
  9. Web site: I want to turn off automatic updates.
  10. Web site: Skype 5.9 for Windows . dead . https://web.archive.org/web/20120414235334/http://blogs.skype.com/garage/2012/04/skype_59_for_windows.html . 2012-04-14 .
  11. Web site: Российским спецслужбам дали возможность прослушивать Skype. ru. Russian law enforcement has been granted the ability to eavesdrop on Skype conversations . Ведомости (Vedomosti). 14 March 2013 . Елизавета Серьгина. Алексей Никольский. Александр Силонов. 25 July 2020.
  12. Web site: Skype Provided Backdoor Access to the NSA Before Microsoft Takeover (NYT) . Softpedia. 20 June 2013. Bogdan Popa.
  13. Web site: Leaked Documents Show the NSA Had Full Access to Skype Chats . Softpedia. 31 December 2014 . Bogdan Popa.
  14. News: VoIP suffers identity crisis . June 15, 2004 . The Register.
  15. Web site: Skype accounts can be hacked with an email address . 2012-11-15 . 2017-10-18 . https://web.archive.org/web/20171018183057/https://www.geek.com/geek-pick/skype-accounts-can-be-hacked-with-an-email-address-1528410/ . dead .
  16. Web site: Уязвимость в skype, позволяющая угнать любой аккаунт. 13 November 2012 .
  17. [Simson Garfinkel]
  18. Book: Max, Harry . Skype: The Definitive Guide . 2006 . Que Publishing . 032140940X .
  19. Web site: Guide for network admins .
  20. This is similar to the type of granted access that the SETI download applications presented.
  21. Web site: Silver Needle in the Skype . Philippe . Biondi . Fabrice . DESCLAUX . blackhat . 2006-03-02 .
  22. pagetable.com » Blog Archive » Skype Reads Your BIOS and Motherboard Serial Number
  23. Skype Security Blog - Skype Extras plug-in manager
  24. The Register » Skype snoop agent reads mobo serial numbers
  25. Web site: Vulnerabilities in Skype . 2008-01-17 .
  26. Web site: Claburn . Thomas . Skype Addresses Cross-Zone Scripting Vulnerability - Security . InformationWeek . 2010-06-09.
  27. Web site: Skype File URI Security Bypass Code Execution Vulnerability . Skype.com . 2010-06-09.
  28. ZDNet: Interview with Kurt Sauer „Telefonieren übers Internet: Wie sicher ist Skype wirklich?“, February 13, 2007
  29. guli.com: Textfilter in China, 19. April 2006
  30. Web site: heise online - eBays neue Richtlinien in der Kritik . Heise.de . 2010-06-09.
  31. Web site: Skype-Gespräche unantastbar? . intern.de . 2007-11-23 . 2010-06-09.
  32. Web site: Biondi P., Desclaux F . Silver Needle in the Skype . EADS Corporate Research Center . 2–3 March 2006 . 26 January 2009.
  33. Web site: Sokolov . David AJ . Speculation over back door in Skype . Heise Security UK . 24 July 2008 . 26 January 2009 . dead . https://web.archive.org/web/20100713002734/http://www.h-online.com/security/news/item/Speculation-over-back-door-in-Skype-736607.html . 13 July 2010.
  34. Web site: Leyde . John . Austrian official fuels Skype backdoor rumours . The Register UK . 24 July 2008 . 29 January 2009.
  35. Web site: Vilde . Boris . Skype Has Back Door for Cops' Eavesdropping . Ohmproject . 27 July 2008 . 29 January 2009.
  36. Web site: Skype Linux Reads Password and Firefox Profile - Slashdot. August 26, 2007.
  37. Web site: Skype 1.4.0.99 reads /etc/ passwd and firefox profile! - Skype Community . August 25, 2007 . unfit . https://web.archive.org/web/20111013133800/http://forum.skype.com/index.php?showtopic=95261 . October 13, 2011 .
  38. Web site: Skype Secrecy Under Attack Again . VoIP News . 2009-02-24 . 2010-10-10 . 2012-07-22 . https://web.archive.org/web/20120722124315/http://www.voip-news.com/feature/skype-secrecy-attack-022409/ . dead .
  39. Web site: Big Brother in the Wires: Wiretapping in the Digital Age. ACLU. 23 March 2009.
  40. Web site: CALEA feature page. ACLU. 23 March 2009.
  41. Web site: German Authorities Raiding Homes To Find Skype Tapping Whistleblower . Techdirt . 18 September 2008 . 31 March 2009.