You probably use communication tools that transport the voice/messaging data over the Internet. We’re not speaking about e-mail, but about recent software of the information age – Skype. Skype is widely used for audio/video chats around the world. Its security is shrouded in proprietary mystery and many urban legends exist. In 2006 Philippe Biondi and Fabrice Desclaux analysed the Skype network and its security in their talk „Silver Needle in the Skype“. Since end users can neither create their own cryptographic keys nor see the ones that are actually used, the network has always the capability of eavesdropping on calls. It is not clear if this capability is used or abused at all, but the risk is present. As with eavesdropping in mobile phone networks the communication partners will be totally oblivious, and neither Alice nor Bob have a chance of detecting Eve. How can this deficiency be fixed?
Felix Schuster of SEC Consult has a proposal. He presents a tool that extends the latest Skype-Clients for Windows with functionality for making verifiable secure and eavesdrop-safe P2P calls over the Skype- Network. The tool was developed as a part of his Diploma Thesis „Konzeption und Implementierung einer zusätzlichen Verschlüsselungsschicht für Skype“ (submitted to the Ruhr-Universität Bochum). The security-gain arises from an authenticated key-exchange that is performed for each new call between the involved extended Skype-Clients. The securely exchanged key is then used to establish an additional cryptographic layer that covers every IP-packet that is exchanged between the involved parties of a call. At it’s cryptographic heart the developed tool uses the proven Off-The-Record Library (libOTR) as well as Microsoft’s Cryptography API. This way Skype-users do neither need to rely any longer on the trustworthiness of Skype Ltd.’s central Certificate Authority nor on the correctness and effectiveness of the Skype-Clients’ own cryptographic implementations. The tools simply adds another layer on top.
Felix’ talk will offer insights into the reverse engineering of parts of the Skype protocol and will describe major challenges that had to be solved during the implementation phase of the encryption tool. The results is a Skype-Client with additional hardening. OTR is available for many clients of different communication protocols such as Pidgin, Kopete, TextSecure, and others. It also doesn’t introduce complex key management issues and can be easily deployed. Come to DeepSec 2011 and have a look!