Phil Zimmerman and voice encryption; a Skype problem?
Steven M. Bellovin
smb at cs.columbia.edu
Mon May 22 10:19:05 EDT 2006
There's an article in today's NY Times (for subscribers, it's at
http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1&oref=slogin )
on whether Phil Zimmerman's Zfone -- an encrypted VoIP package -- will
invite government scrutiny. There doesn't seem to be any imminent threat
in the U.S.; the one concrete example mentioned -- the British plan to
give police the power to compel individuals to disclose keys -- doesn't
threaten Zfone, because it uses Diffie-Hellman for (among other things)
perfect forward secrecy and doesn't even have any long-term keys. (See
draft-zimmermann-avt-zrtp-01.txt for protocol details.)
The fascinating thing, though, was this sentence near the end of the
article:
But at a conference last week in Cyprus, German officials said
they had technology for intercepting and decrypting Skype phone
calls, according to Anthony M. Rutkowski, vice president for
regulatory affairs and standards for VeriSign, a company that
offers security for Internet and phone operations.
The Berson report says that Skype uses AES-256. NSA rates that as
suitable for Top Secret traffic, so it's presumably not the cipher.
Berson analyzed a number of other possible attack scenarios; the only one
that seems to be possible is an active attack plus forged certificates.
If Berson's analysis was correct -- and we all know how hard it is to
verify cryptographic protocols -- that leaves open the possibility of a
protocol change that implemented some sort of Clipper-like functionality.
A silent change like that would be *very* ominous.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list