[smb at cs.columbia.edu: Skype security evaluation]

Damien Miller djm at mindrot.org
Sun Oct 23 22:39:42 EDT 2005 

On Sun, 23 Oct 2005, Joseph Ashwood wrote:

> ----- Original Message ----- Subject: [Tom Berson Skype Security Evaluation]
>
> Tom Berson's conclusion is incorrect. One needs only to take a look at the
> publicly available information. I couldn't find an immediate reference
> directly from the Skype website, but it uses 1024-bit RSA keys, the coverage
> of breaking of 1024-bit RSA has been substantial. The end, the security is 
> flawed. Of course I told them this now years ago, when I told them that 
> 1024-bit RSA should be retired in favor of larger keys, and several other 
> people as well told them.

More worrying is the disconnect between the front page summary and the 
body of the review. If one only reads the summary, then one would only see 
the gushing praise and not the SSH protocol 1-esque use of a weak CRC as a 
integrity mechanism (section 3.4.4) or what sounds suspiciously like a 
exploitable signed vs. unsigned issue in protocol parsing (section 3.4.6).

Also disappointing is the focus on the correct implementation of 
cryptographic primitives (why not just use tested commercial or 
open-source implementations?) to the exclusion of other more interesting 
questions (at least to me):

- What properties does the proprietary key agreement protocol offer (it
   sounds a bit like an attenuated version of the SSH-1 KEX protocol and,
   in particular, doesn't appear to offer PFS).

- Does the use of RC4 follow Mantin's recommendations to discard the
   early, correlated keystream?

- How does the use of RC4 to generate RSA keys work when only 64 bits of
   entropy are collected from Skype's RNG? (Section 3.1)

- Why does Skype "roll its own" entropy collection functions instead of
   using the platform's standard one?

- Ditto the use of standard protocols? (DTLS would seem an especially
   obvious choice).

- What techniques (such as privilege dropping or separation) does Skype
   use to limit the scope of a network compromise of a Skype client?

-d


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list