[VOIPSEC] CSOOnline Machine Shop: Can 9 Million Skype Users Be Wrong?
Frank Rieger
fr at gsmk.de
Sat Mar 12 04:59:10 CST 2005
On 09.03.2005, at 17:40, Robert Moskowitz wrote:
> They do not talk about their security, considering it proprietary.
> They claim AES-256, but won't tell you the mode of operation (is it
> CTR only thus open to substitution attacks that IPsec fixed back in
> '95?). None of the rest of what they do seems to be known.
From outward appearances they have a central key storage (also called
"login server" in the few papers that try to analyze the Skype
protocoll). You can try out by opening several Skype clients on
different machines for a single user. When you do IM sessions, all
messages from your partners end up on all clients where you are logged
in. So apparently at least for IM their security boils down to the
strength of the login password. Skype calls end up on the last client
that logged in, as far as I can see, but thats more a directory/routing
issue.
Greetings
Frank Rieger
---------------------------------------------------------------------
GSMK mbH Berlin, Germany Tel: +49 - (0)700 - 27 97 88 35
http://www.cryptophone.de Fax: +49 - (0)700 - 27 97 83 29
e-mail: office at cryptophone.de
More information about the Voipsec
mailing list