Feeds

Reverse engineer extracts Skype crypto secret recipe

VoIP service mulls legal action

Internet Security Threat Report 2014

Cryptoanalysts have published what they claim is the secret recipe behind a Skype encryption algorithm.

A group of code breakers led by Sean O’Neil reckon they have successfully reverse engineered Skype’s implementation of the RC4 cipher, one of several encryption technologies used by the consumer-oriented VoIP service. The proprietary encryption technology is used by the VoIP service to protect communications exchanged between its its clients and severs. It also restricts what clients can access the service, a restriction Skype had plans to ease with the upcoming publication of an API.

Even if independent research proves that the proprietary RC4 algorithm has been exposed it doesn't follow that Skype is open to eavesdroppers, not least because the service uses a variety of encryption techniques.

O’Neil justified the publication of an open source emulation of the algorithm by arguing that Skype's technology is already under exploitation by instant message spammers, so his work only levels the playing field for security researchers. He criticised Skype for practising "security by obscurity" in keeping its algorithm secret for so long. O'Neil reportedly plans to explain his research in greater depth at a presentation before the Chaos Communication Congress (27C3) in Berlin in December.

Skype told Techcrunch that O'Neil's partial leak some months ago was what facilitated spam attacks against users of the VoIP service in the first place.

"We believe that the work being done by Sean O'Neil, who we understand was formerly known as Yaroslav Charnovsky, is directly facilitating spamming attacks against Skype and we are considering our legal remedies," Skype said.

"Whilst we understand the desire for people to reverse engineer our protocols with the intent of improving security, the work done by this individual clearly demonstrates the opposite," it added.

Best practice in cryptography generally assumes that potential adversaries will find access to the algorithm beyond encryption codes, so efforts should be focused on keeping private encryption keys secret. Openly published AES algorithms benefit from the fact that security researchers can independently access the robustness of the encryption schemes and uncover any potential weaknesses.

O'Neil's original blog posting has been pulled but copies can still be found in Google's cache (here). O'Neil has published the obfuscated Skype RC4 key expansion algorithm, only one of a battery of encryption technologies used by Skype. "There are seven types of communication encryption in Skype: its servers use AES-256, the supernodes and clients use three types of RC4 encryption - the old TCP RC4, the old UDP RC4 and the new DH-384 based TCP RC4, while the clients also use AES-256 on top of RC4. It all is quite complicated, but we’ve mastered it all," O'Neil explains. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Ofcom snatches 700MHz off digital telly, hands it to mobile data providers
Hungry mobe'n'slab-waving Blighty swallows spectrum
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.