[smb at cs.columbia.edu: Skype security evaluation]

[Peter Gutmann]

Jack Lloyd <lloyd at randombit.net> writes:

>I just reread those sections and I still don't see anything about RSA
>encryption padding either. 3.2.2 just has some useless factoids about the RSA
>implementation (but neglects to mention important implementation points, like
>if blinding is used, or if signatures are verified before being released).
>3.2.3 describes the signature padding, but makes no mention of the encryption
>padding, or even that a padding method is used for encryption.

This would match my experience with homebrew VPN protocols when I looked at a
pile of OSS VPN implementations a year or so back.  Evrey single one of them
had flaws (some quite serious) not in getting the basic crypto right, but in
the way that the crypto was used.  I don't see any reason why Skype should
break this mould.

I can't understand why they didn't just use TLS for the handshake (maybe
YASSL) and IPsec sliding-window + ESP for the transport (there's a free
minimal implementation of this whose name escapes me for use by people who
want to avoid the IKE nightmare).  Established, proven protocols and
implementations are there for the taking, but instead they had to go out and
try and assemble something with their own three hands (sigh).

(Having said that, I don't consider it a big deal.  I've always treated Skype
as a neat way of doing VoIP rather than a super-secure encrypted comms link.
The security (for whatever it's worth) is just icing on the basic Skype
service - I'd use it with or without encryption.  The killer app is the cheap
phonecalls, not the crypto).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com