Skype published a security whitepaper

As everybody know, security is the most concern point to choose a IM/P2P application. Refer to my post of Top Ten Concerns to Skpye, many uncertainties make a number of enterprise IT managers and professionals hesitate to use Skype. Two days ago, Skype published a security whitepaper to explain the security concerns, for full version, click here.

The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments.

Beyond errors in the cryptosystem, I have also looked for back doors, Trojans, overreaching “debugging” facilities, etc. I did not find any hints of malware in the portions of the Skype code I reviewed.

The whitepaper seems to be published not officially, rather, published from a free investigator/researcher perspective. It covers mainly what cryptographic algorithm used in Skype, and how to exchange private/public keys between communication parties, and how to defend against cryptographic attack, while it doesn’t address other concerns from telecom operators and enterprise IT managers, for an instance, how to identify/control/audit the Skype clients and their usage. I am afraid that it only help assure those personal professionals to believe Skype. 

Other important papers on skype security include:

  • “An Analysis of the Skype Peer-to-Peer Internet Telephony protocol”,  by Salman A. Baset and Henning Schulzrinne, click to download.
  • “VoIP and Skype Security”, by Simson L. Garfinkel, click to download.

2 Responses to Skype published a security whitepaper

  1. anonymous says:

    From the voipsa mailing list, Robert from ICSA Labs, questioned further:

    More worrying is the disconnect between the front page summary and
    the body of the review. If one only reads the summary, then one would
    only see the gushing praise and not the SSH protocol 1-esque use of a
    weak CRC as a integrity mechanism (section 3.4.4) or what sounds
    suspiciously like a exploitable signed vs. unsigned issue in protocol
    parsing (section 3.4.6).

    Also disappointing is the focus on the correct implementation of
    cryptographic primitives (why not just use tested commercial or
    open-source implementations?) to the exclusion of other more
    interesting questions (at least to me):

    – What properties does the proprietary key agreement protocol offer (it
    sounds a bit like an attenuated version of the SSH-1 KEX protocol and,
    in particular, doesn’t appear to offer PFS).

    – Does the use of RC4 follow Mantin’s recommendations to discard the
    early, correlated keystream?

    – How does the use of RC4 to generate RSA keys work when only 64 bits of
    entropy are collected from Skype’s RNG? (Section 3.1)

    – Why does Skype “roll its own” entropy collection functions instead of
    using the platform’s standard one?

    – Ditto the use of standard protocols? (DTLS would seem an especially
    obvious choice).

    – What techniques (such as privilege dropping or separation) does Skype
    use to limit the scope of a network compromise of a Skype client?

  2. romemeteor says:

    Should we be afraid of SKYpe 4 its’ security risk? I don’t think so, although we have to take care our privacy and threat more than ever before. In fact, more and more attackers will change their focus on VOIP, SIP, Mobile Devices, not at all, but the final target: your big money.
    This link will redirect u to a Skype-related paper,

    I think this is a really great presentation focused on the end-user experience observations. It might be nice to add a section on the Skype business model.

    Share and Enjoy ur trip to Skype, especially security feature.

%d bloggers like this: