Voice of VOIPSA

In an interestingly eerie parallel to a discussion that has recently cropped up on the VoIPSec forum regarding peer-entity authentication vs. data-origin authentication, Skype announced yesterday that it intends to address the issue of user-identification within their VoIP service.

Part of Skype’s “wish list” for further expansion into the business market is to enhance username authentication for business customers, the voice over Internet Protocol company said Wednesday.

Skype’s system currently automatically authenticates users itself, based on certificates from it’s own encrypted Public Key Infrastructure (PKI). Because it does this automatically and transparently to the user, the users themselves have no way of authenticating the identity of the person they are communicating with.

“Skype is a public key infrastructure, which means nothing if you don’t know who you are identifying at the other end,” Sauer said.

You can read more detail at News.com.com.

RECON (Reverse Engineering Conference) was recently held from June 16-18 in Montreal. One of the presentations involved some in-depth Skype reverse engineering and analysis. The slides for the presentation are available in pdf format for part1 and part2. Among other things, the talk covered Skype’s crypto scheme, easter eggs, and general traffic analysis. Worth a read.

An article from ComputerWorld discusses a grant that the NSF has earmarked for the research of VoIP security threats:

The National Science Foundation says it has issued US$600,000 to the University of North Texas to spearhead development of a multi-university test bed to study VoIP security. Other participants are Columbia University, Purdue University and the University of California-Davis. VoIP spam, denials of service, emergency services and quality of service will be among the areas targeted for research during the three-year project. The research will also look at vulnerabilities that emerge from the integration of VoIP and legacy networks.

The group of schools plans to disseminate its findings widely to technology developers, academia and others involved in network convergence.

Ram Dantu from the Univeristy of North Texas is leading the charge and is also a member of VOIPSA’s Technical Advisory Board, as are several of the other researchers involved in this grant. Ram has been intrumental is driving the state of VoIP security not only through his own research and professional career, but by organizing industry workshops on VoIP security.

I expect the results from their efforts to be sobering, hopefully helping vendors and providers to enhance the security of their solutions and offerings.