[VOIPSEC] Skype Security Evaluation

Robert Moskowitz rgm at icsalabs.com
Thu Oct 27 11:50:10 CDT 2005 

I posted this URL to the IETF saag list and got this response:

Date: Mon, 24 Oct 2005 12:39:42 +1000 (EST)
From: Damien Miller <djm at mindrot.org>
To: cryptography at metzdowd.com
In-Reply-To: <067801c5d829$b86235f0$6401a8c0 at GQ7000>
Message-ID: <Pine.BSO.4.63.0510241212510.18188 at fuyu.mindrot.org>
References: <20051023153121.GW2249 at leitl.org>
         <067801c5d829$b86235f0$6401a8c0 at GQ7000>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: saag at mit.edu
Subject: [saag] Re: [smb at cs.columbia.edu: Skype security evaluation]

On Sun, 23 Oct 2005, Joseph Ashwood wrote:

>----- Original Message ----- Subject: [Tom Berson Skype Security Evaluation]
>
>Tom Berson's conclusion is incorrect. One needs only to take a look at the
>publicly available information. I couldn't find an immediate reference
>directly from the Skype website, but it uses 1024-bit RSA keys, the coverage
>of breaking of 1024-bit RSA has been substantial. The end, the 
>security is flawed. Of course I told them this now years ago, when I 
>told them that 1024-bit RSA should be retired in favor of larger 
>keys, and several other people as well told them.

More worrying is the disconnect between the front page summary and 
the body of the review. If one only reads the summary, then one would 
only see the gushing praise and not the SSH protocol 1-esque use of a 
weak CRC as a integrity mechanism (section 3.4.4) or what sounds 
suspiciously like a exploitable signed vs. unsigned issue in protocol 
parsing (section 3.4.6).

Also disappointing is the focus on the correct implementation of 
cryptographic primitives (why not just use tested commercial or 
open-source implementations?) to the exclusion of other more 
interesting questions (at least to me):

- What properties does the proprietary key agreement protocol offer (it
   sounds a bit like an attenuated version of the SSH-1 KEX protocol and,
   in particular, doesn't appear to offer PFS).

- Does the use of RC4 follow Mantin's recommendations to discard the
   early, correlated keystream?

- How does the use of RC4 to generate RSA keys work when only 64 bits of
   entropy are collected from Skype's RNG? (Section 3.1)

- Why does Skype "roll its own" entropy collection functions instead of
   using the platform's standard one?

- Ditto the use of standard protocols? (DTLS would seem an especially
   obvious choice).

- What techniques (such as privilege dropping or separation) does Skype
   use to limit the scope of a network compromise of a Skype client?

-d

_______________________________________________
saag mailing list
saag at mit.edu
https://jis.mit.edu/mailman/listinfo/saag


Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
VoIP:   248-291-0713
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who 
gets the credit

More information about the Voipsec mailing list