[VOIPSEC] Skype Security Evaluation

ZhaoL hi2005 at gmail.com
Wed Oct 26 07:32:00 CDT 2005 

I read this paper carefully. a few days ago, I post Top Ten Concerns to
Skype Security at my blog <http://hi2005.wordpress.com>:

   1. does Skype company de-encrypt/record my talk/chat?
   2. besides the parties of the talk/chat, any body else can read/hear
   the content?
   3. how does Skype process the talk/chat traffic along the internet
   route?
   4. is the talk/chat content stored at somewhere else at the internet?
   5. how does Skype negotiate the session-key used to encrypt the
   traffic?
   6. what algorithm does Skype used to encrypt the talk/chat traffic?
   (more detailed info than just AES)
   7. how does Skype store the public/private key pairs of skype client?
   8. is there any means to identify the traffic at network layer?
   (though Verso <http://www.verso.com/> has succeeded in it, I mean what
   means Skype support)
   9. is there any existing mechanism to account/audit the activities of
   the skype client, or recommendation from Skype?
   10. is there any country agents involved at the key management?

I think the whitepaper published by Skype only addresses the 5th, 6th and
7th concerns, while leaving others not covered.

cheers,

Richard



On 10/25/05, Eva Kuiper <evak at telus.net> wrote:
>
> Erik,
> I assume you mean no end-to-end encryption when the other end is not
> Skype. Right?
>
> I was left wondering if the comparison with WEP and the CRC issue had
> any implications that should cause concern. It was mentioned almost in
> passing and not elaborated upon. I'd like to hear others' thoughts on
> whether or not this should be a concern.
>
> Eva
>
> Erik.Hofmann at infineon.com wrote:
>
> > Nice marketing paper. I should had printed it out as a glossy brochure
> > ;-)
> > "Paean of praise" is what the dictionary tells me is the right word in
> > english. ... like at vendor exhibitions where sales guys with clear
> > incentives tell you about how good their product is.
> >
> > According to our threat situation (which is different as for a private
> > user for example) the fact that there is no end-to-end encryption is
> > enough for us to prohibit it within our organisation.
> > Other reasons where mentioned here before as I remember.
> >
> > Erik
> >
> >
> >>-----Original Message-----
> >>From: Voipsec-bounces at voipsa.org
> >>[mailto:Voipsec-bounces at voipsa.org] On Behalf Of Hank Nussbacher
> >>Sent: Saturday, October 22, 2005 7:55 PM
> >>To: voipsec at voipsa.org
> >>Subject: [VOIPSEC] Skype Security Evaluation
> >>
> >>http://www.skype.net/security/files/2005-031%20security%20evalu
> >>ation.pdf
> >>
> >>-Hank
> >>
> >>
> >>_______________________________________________
> >>Voipsec mailing list
> >>Voipsec at voipsa.org
> >>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >>
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>



--
ZHAO, Liang (Richard)
Mobile: 86-13911532790
Office: 8610-58216804
Email: hi2005 at gmail.com
Blog: http://hi2005.wordpress.com

More information about the Voipsec mailing list