Simson Garfinkel analyses Skype - Open Society Institute

[Enzo Michelangeli]

----- Original Message ----- 
From: "Adam Shostack" <adam at homeport.org>
To: "David Wagner" <daw at cs.berkeley.edu>
Cc: <cryptography at metzdowd.com>
Sent: Saturday, January 29, 2005 1:48 AM
Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute

[...]
> The 'vastly more secure' is not my claim.  My claim is that it is
> somewhat better.  Even if it's using an RC4 key of all-zeros, it is
> somewhat better than what I have today, because today, my voip calls
> don't even have that, and as far as I can see, I can use asterisk's
> codec translator API to turn tcpdump captured streams into mp3.
> (http://www.asterisk.org/index.php?menu=architecture).  The effort to
> get skype data is slightly higher.  Until shown otherwise, I expect a
> grad student could do it in a weekend.  However, that same grad
> student could build me a wiretap for VOIP in an hour.  (By which
> metric, Skype is nearly 50x as secure!!!!  :)
[...]
> I hate arguing by analogy, but:  VOIP is a perfectly smooth system.
> It's lack of security features mean there isn't even a ridge to trip
> you up as you wiretap.  Skype has some ridge.  It may turn out that
> it's very very low, but its there.   Even if that's just the addition
> of an openssl decrypt line to a reconstruct shell script.

Actually it's not that bad: using SIP, the RTP packets can be protected by
SRTP (RFC3711, with an opensource implementation from Cisco at
http://srtp.sourceforge.net/ ) and the SIP signalling, as per RFC2246, can
go over TLS. It's more an issue of deployment than standards, possibly due
to CALEA-related pressures on service providers, but some manufacturers of
hardware do support VoIP security: see e.g. what is claimed at
http://www.snom.com/phones.html?&L=1 .

Enzo


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com