[VOIPSEC] Skype Security Evaluation
rgm at icsalabs.com
Thu Oct 27 17:50:10 BST 2005
I posted this URL to the IETF saag list and got this response:
Date: Mon, 24 Oct 2005 12:39:42 +1000 (EST)
From: Damien Miller <djm at mindrot.org>
To: cryptography at metzdowd.com
In-Reply-To: <067801c5d829$b86235f0$6401a8c0 at GQ7000>
Message-ID: <Pine.BSO.4.63.0510241212510.18188 at fuyu.mindrot.org>
References: <20051023153121.GW2249 at leitl.org>
<067801c5d829$b86235f0$6401a8c0 at GQ7000>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: saag at mit.edu
Subject: [saag] Re: [smb at cs.columbia.edu: Skype security evaluation]
On Sun, 23 Oct 2005, Joseph Ashwood wrote:
>----- Original Message ----- Subject: [Tom Berson Skype Security Evaluation]
>Tom Berson's conclusion is incorrect. One needs only to take a look at the
>publicly available information. I couldn't find an immediate reference
>directly from the Skype website, but it uses 1024-bit RSA keys, the coverage
>of breaking of 1024-bit RSA has been substantial. The end, the
>security is flawed. Of course I told them this now years ago, when I
>told them that 1024-bit RSA should be retired in favor of larger
>keys, and several other people as well told them.
More worrying is the disconnect between the front page summary and
the body of the review. If one only reads the summary, then one would
only see the gushing praise and not the SSH protocol 1-esque use of a
weak CRC as a integrity mechanism (section 3.4.4) or what sounds
suspiciously like a exploitable signed vs. unsigned issue in protocol
parsing (section 3.4.6).
Also disappointing is the focus on the correct implementation of
cryptographic primitives (why not just use tested commercial or
open-source implementations?) to the exclusion of other more
interesting questions (at least to me):
- What properties does the proprietary key agreement protocol offer (it
sounds a bit like an attenuated version of the SSH-1 KEX protocol and,
in particular, doesn't appear to offer PFS).
- Does the use of RC4 follow Mantin's recommendations to discard the
early, correlated keystream?
- How does the use of RC4 to generate RSA keys work when only 64 bits of
entropy are collected from Skype's RNG? (Section 3.1)
- Why does Skype "roll its own" entropy collection functions instead of
using the platform's standard one?
- Ditto the use of standard protocols? (DTLS would seem an especially
- What techniques (such as privilege dropping or separation) does Skype
use to limit the scope of a network compromise of a Skype client?
saag mailing list
saag at mit.edu
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
E: rgm at icsalabs.com
There's no limit to what can be accomplished if it doesn't matter who
gets the credit
More information about the Voipsec