[VOIPSEC] regarding skype's usefulness in the enterprise

Rodney Thayer rodney at canola-jones.com
Thu Jan 5 08:39:00 CST 2006 

Voipsec-request at voipsa.org wrote:
> Send Voipsec mailing list submissions to
> 	Voipsec at voipsa.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
> 	Voipsec-request at voipsa.org
> 
> You can reach the person managing the list at
> 	Voipsec-owner at voipsa.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Voipsec digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: regarding skype's usefulness in the enterprise (Tony Carter)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 4 Jan 2006 18:18:35 -0500
> From: "Tony Carter" <tcarter at entrusion.com>
> Subject: Re: [VOIPSEC] regarding skype's usefulness in the enterprise
> To: "'Rodney Thayer'" <rodney at canola-jones.com>, <Voipsec at voipsa.org>
> Message-ID: <003501c61185$303a2f80$1f03a8c0 at tonylaptop>
> Content-Type: text/plain;	charset="us-ascii"
> 
> 
> 
>>and it's proprietary encryption.  there are some simply rules 
>>in the crypto world, one of which is "if it's not a reviewed 
>>crypto scheme you should assume it is suspect".  skype's 
>>crypto is proprietary.  It's been reviewed, in a very limited 
>>fashion, and the review doesn't read to some like it's ok.  
> 
> 
> Rodney,
> Are you reading the same evaluation that was published here:
> http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf ?
> Skype's security was reviewed by a respected cryptographer  and does use
> standards based cryptography.
> 
> Read: "Skype uses only standard cryptographic primitives to meet its ends,
> which is a sound engineering approach. These primitives include the AES
> block cipher, the RSA public-key cryptosystem, the ISO 9796-2 signature
> padding scheme, the SHA-1 hash function"..
> 
> -Tony

Yes, that's what I am reading.  Just because it uses SHA-1 and AES doesn't mean
it's using standard crypto.  the protocols are nonstandard, with no justification,
the combinations of the basic crypto units are nonstandard, they use
rc4 (nobody does that any more), and there are other issues.  Just because
something says AES and throws around a few FIPS or ISO numbers in it's
description doesn't make it safe.

More information about the Voipsec mailing list