Skype Security
Skype Security
From MissionTechWiki
Skype is being used a lot, especially since it encrypts calls, and now it also allows calls 'off net', ie to normal phones. Skype Security is an issue. Can we trust Skype everywhere?
Skype reportedly encrypts all data, including chat, voice and video. The issue is, can we trust this encryption? Is the key for the encryption known by Skype and therefore is wire tapping possible? Is it safe to use SkypeOut and SkypeIn in some countries?
The problem is working out the FUD from the truth. The real problems come for folk communicating in countries which have strong firewalling/censoring policies such as Myanmar, China and various other countries. This is complicated by the fact that Skype is not open source, and we can therefore not confirm anything, and they apparently obfuscate their binaries and network protocol, possibly to hinder reverse engineering.
Definitely do not use the TOM and ebay-cn versions of Skype - they at least have chat filtering modifications and may have other changes. It appears that the chat is still encrypted, however the versions have plugin filters to enfource the filtering in the chats that the Chinese government requires.
Managing Skype on a Network
There's an interesting 327 KB pdf available from Skype called the "Skype Guide for Network Administrators". It was written in 2006 for Skype 3 Beta, so is a bit outdated, and doesn't mention the China controversy (of course), so its security info must be taken with a grain (or chunk) of salt.
However, it does give a far better explanation of how Skype works than I've seen elsewhere, and it tells how to set registry entries or set Windows policies that control how Skype behaves. Yes, there's a way to prevent it from becoming a supernode (part of the distributed Skype directory and presence network, where up to 5KB/s of your bandwidth may be used), but not to prevent it from becoming a relay host (allowing two NATed PCs to communicate through your PC, where up to 17 or so KB/s of your bandwidth may be used). See p.9 of the guide for the details.
It does seem voice communications cannot be intercepted except by routers, ISPs, etc, but my interpretation is that chat info may be able to be looked at by select parties.
The guide is available at http://skype.com/security/guide-for-network-admins-30beta.pdf
What should we tell our workers?
References
- http://www.skype.com/security/security/ - Skype's own Security page. This includes a link to their paid for independent review of their encryption.
"The cryptographic primitives used in Skype are: the AES block cipher, the RSA public-key cryptosystem, the ISO 9796-2 signature padding scheme, the SHA-1 hash function, and the RC4 stream cipher."
- http://marc.theaimsgroup.com/?l=cryptography&m=113011359720074&w=2 start of an email thread discussing the above paper.
- http://www.securityfocus.com/columnists/357 - an article talking about some of the issues
- http://www.tacticaltech.org/skype_security - a paper by Simson Garfinkel on Dec 2005 on Skype security. It talks about the issues, but does not attempt to verify the level of encryption etc.
- http://en.wikipedia.org/wiki/Skype - Wikipedia article on Skype that includes a security section.
- http://voipsa.org/blog/2006/06/22/skype-security/ Links to reverse engineering papers on skype protocol
Original page: http://www.missiontech.info/wiki/Skype_Security
from the MissionTech Wiki created by the International Conference on Computers and Missions