[VOIPSEC] CALEA Enforcement
Randell Jesup
rjesup at wgate.com
Thu May 11 16:44:40 CDT 2006
"Weidong Shao" <weidongshao at gmail.com> writes:
>Question on "facilities-based broadband Internet service and interconnected
>VoIP providers",
>
>- For PSTN out/in, I think it is clear that it is interconnected VoIP
>service.
> But what about Yahoo and Sype's PC-to-PC voice chat ? are they
>considered interconnected VoIP providers?
My understanding:
They are considered interconnected providers since they have PSTN in and
out (even contracted). FCC rulings over the last 8 months say that even
PC-to-PC calls are therefore covered by CALEA requirements.
>Skype claims that the voice chat is peer-2-peer and encryption is end-2-end.
>how is LI possible then?
a) claims != reality
b) they use p2p protocols, but often those involve using a relay. A relay
(even if it's another random supernode PC) could siphon off the data for
LI.
c) Since their program is opaque and mediated by their system, they can
insert a true MITM attack which their software is designed to accomodate.
d) They have to provide the stream, and the key if they have it. If their
software does do true end-2-end key exchange, they don't have the key
and aren't required to give the key. They are still required to capture
the traffic and the call info.
>Of course, Skype is not open, so we can only assume their security is
>end-to-end.
Actually, there was a serious de-construction/compilation of the Skype
client detailed in a black-hat-conference paper a few months ago. It
details the encryption scheme.
--
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup at wgate.com
"The fetters imposed on liberty at home have ever been forged out of the weapons
provided for defence against real, pretended, or imaginary dangers from abroad."
- James Madison, 4th US president (1751-1836)
More information about the Voipsec
mailing list