Top Ten Concerns to Skype Security

As a security professional, I adopt Skype as my primary IM due to its encryption and firewall bypass. Although firewall bypass is the direct experience, encryption is just claimed by Skype. Nothing more about the encryption mechanism, such as the key generation, management and etc. The following is the Top Ten Questions I want to know about Skype security issues:

  1. does Skype company de-encrypt/record my talk/chat?
  2. besides the parties of the talk/chat, any body else can read/hear the content?
  3. how does Skype process the talk/chat traffic along the internet route?
  4. is the talk/chat content stored at somewhere else at the internet?
  5. how does Skype negotiate the session-key used to encrypt the traffic?
  6. what algorithm does Skype used to encrypt the talk/chat traffic? (more detailed info than just AES)
  7. how does Skype store the public/private key pairs of skype client?
  8. is there any means to identify the traffic at network layer? (though Verso has succeeded in it, I mean what means Skype support)
  9. is there any existing mechanism to account/audit the activities of the skype client, or recommendation from Skype?
  10. is there any country agents involved at the key management?

What’s yours most of concern questions? want to know from Skype?

About these ads

8 Responses to Top Ten Concerns to Skype Security

  1. zhaol says:

    I think the whitepaper published by Skype only addresses the 5th, 6th and 7th concerns, while leaving others not covered.

  2. zhaol says:

    non-formal answers from Tom Berson via Skype:

    1. No
    2. No, unless you or other party to chat has some Trojan on you computer
    3. There is no processing in the middle
    4. Possibly, but not by Skype
    5, 6, 7 see paper
    8. I am not an expert about the network layer
    9. Skype-to-Skype calls, no.
    10. I do not think so.

    Thanks to Tom’s explanation.

    Richard

  3. [...] As everybody know, security is the most concern point to choose a IM/P2P application. Refer to my post of Top Ten Concerns to Skpye, many uncertainties make a number of enterprise IT managers and professionals hesitate to use Skype. Two days ago, Skype published a security whitepaper to explain the security concerns, for full version, click here. The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments. [...]

  4. zhaol says:

    Some reponses to the TOP TEN Conerns:

    Are these two questions related to each other? If yes, the AES cipher is
    an symmetrical one where you only need a private key. If skype uses an
    asymmetrical cipher as well it would be nice if anyone outside there
    could explain the function of this cipher (in skype). Maybe to negotiate
    the symetrical key as SSL do it?

    Walter

  5. zhaol says:

    Some reponses to the TOP TEN Concerns:

    I don’t think the AES key is stored anywhere. It is created for each
    session, and possibly recreated during the session after some time
    interval.

    Skype uses asymmetric PKI to authenticate the clients. Each new client first
    generates a certificate with a dedicated server. Skype has a bunch of those
    servers, distributed geographically.

    One of my colleagues suggested that when eBay bought Skype, they weren’t
    interested in the VoIP business, they wanted the PKI infra with its 50+
    million customers.

    — Lassi

  6. zhaol says:

    Juergen Nieveler wrote:

    > Lassi Hippeläinen wrote:
    >
    >> Skype uses asymmetric PKI to authenticate the clients. Each new client
    >> first generates a certificate with a dedicated server. Skype has a
    >> bunch of those servers, distributed geographically.
    >
    > If so, the keys never leave the servers (which of course is a bad
    > thing) – after all, you can login from any PC anywhere in the world.
    >
    > That means that Skype still is able to eavesdrop on you…
    >
    > Juergen Nieveler

    The servers only participate in authentication. The call session is
    peer-to-peer and need not pass through anything that Skype can control.

    — Lassi

  7. VideoPoquer says:

    VideoPoquer

    silken obfuscatory?disobeying Harvey Macaulayan Ginn Caribbean Poker Online http://www.mycaribbeanpokeronline.com/#

  8. Billy says:

    Yes, I am interested in knowing answers to all above 10 questions as well as the following :

    1. does Skype company de-encrypt/record my talk/chat?

    I WOULD CHANGE THE FIRST WORD TO “CAN”

    2. Does Skype company or anyone have access to my private keys ?

    3a Are the Key pair generated on my machine ? and then the public key sent to skype company ? Or is the Key pair generated by skype company and sent to me ?
    If the key pair is indeed generated on my machine, does the company get my private key, can it retrieve the private key ?

    4. How peer to peer is the chat ? 100% ?
    What is the involvement of the server after initial authentication (for login) ? 0% ?

    5. If Answer to server involvement is 0% ? How does my machine know to which
    IP or next skype user, it should route the call through to the final destination.
    It must be true then that skype company records the IP addresses of the users (which is ok to enable routing, I guess)

    Skype is proprietary and many businesses use it. This makes it all the more important for skype.com to explain the answers to the questions you posted above as well as the ones I have put here.

    Thanks,
    Bill

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: