January 08, 2005

Skype analysed - Jedi Knights of the Crypto Rebellion, Score 1

Adam picked up an article analysing Skype. For those on the cutting edge, you already know that Skype is sweeping the boards in VOIP, or turning your computer into a phone. Download it today ... if you have a Mac. Or Linux or even Windows. (I don't.)

(Article's new location)

What might be less well known is that Skype put in crypto to secure the telephone conversation. This means that eavesdroppers can't ... well, eavesdrop! Great stuff. Now, even better, they built it themselves, so not only do we have a secure VOIP solution, downloadable for free, but we also have a mystery on our hands: is it really secure?

Unfortunately, we don't know for sure as they didn't release the source. And they won't say a thing ... Simson Garfinkel looked at the packets and the sorta look encrypted. Or compressed .. or something.

So where are we? Well, it's still a darn sight better than anything else. Go guys! We have a clear benefit over anything else on the table.

And even if it's not secure, nobody knows that. We have to wait until the cryptanalysts have pored over the packets and found the weaknesses. Or, more likely, the hackers have disassembled the core crypto code, worked out what it does, and handed the crypto guys the easy bit.

Even after they announce a weakness, it's still secure! Because nobody can exploit it, until someone else comes up with a toolkit to breach and exploit the weaknesses. (Generally, it's a different group of people, don't ask me why.)

But, even then it's still secure! Simply because nobody bothers to download the exploit and listen to people's conversation. Get real, there aren't exactly hordes of people driving around listening to poorly secured WEP connections (exploit available!) now are there?

The measure of security is positively dependent on the cost to the *attacker*. So an attacker still has to download the exploit, attach the alligator clips to the ethernet, sit in the van, chew donuts, drink bad coffee and listen to bad jokes while waiting for the call. Well, maybe, but a full analysis of the attacker's costs for eavesdropping shows ... it's too sodding expensive, even with the exploit available. Don't worry about it.

In which case, Skype gives you great security, a bit like the momentous defeat of the GSM crypto protocol over the paparazzi scanners! Scoreboard: Jedi Knights of the Crypto Rebellion, 1. Forces of the Dark Empire, 0.

Posted by iang at January 8, 2005 08:15 PM | TrackBack
Comments

Not to be entirely contradictory, but Skype has NEVER been actually secure. If you dig back through their forums you will find a conversation with me (under the nym holomntn) covering exactly how poorly their initial security was, and by all accounts they are still using the same technology.

This insecurity has actually been demonstrated accidently recently, making the rounds of the VoIP blogs, some rudimentary coverage can be found on Jeff Pulver's blog along with a small amount of commentary and a link to a useful article (http://pulverblog.pulver.com/archives/001532.html). The worst part about this is that it's being treated as simply a bug, and Skype's proposed certification program is only going to enhance the problem, hiding it away instead of fixing it. Skype has habitually ignored their security problems and pretended their security is beyond reproach.

Beyond this though, they have yet to address the critical flaws in their marketting. Their completely false claims are:
1) Skype is secure. Already covered
2) Skype is the only VoIP solution that can work with firewalls. SIP works with firewalls, in fact the entire routing structure behind SIP seems to have been designed with firewalls, NATs, and various other routing nasties in mind
3) Skype is the only one that just works. So does Yahoo IM, AOL IM, MSN Messenger, ICQ, FreeWorldDialup, and several others

In short Skype should be treated as just another Instant Messenger, albeit one that apparently works very well for talking to people in China (unlike others which for some reason don't have nearly the penetration).
Joe

Posted by: Joseph Ashwood at January 8, 2005 09:08 PM

Joe, Let me get this right: The Answering machine function lets someone dial in and make a call to the answering machine while another call is in progress, but the new call gets to listen in to the earlier call?

That's a scream! Yes, I'd call that a bug. Still, I wouldn't call it "insecure". Mostly because, security is a very very variable word. It always means "secure against those attacks that it defends against, and not against those it doesn't defend against!" Which is circular of course.

So for a *useful* definition, what do we use? I like the one about it delivering better security than the next alternate, which is vonage or AT&T. And, when they fix their bugs, it'll be even better.

There are some that say 40 bit crypto is insecure. They are wrong. It's 40 bits more secure than what we've got now over the mass of the net; it's infinitely more secure than an open connection, which is pretty much all of it. Go guys!

iang

Posted by: Iang at January 8, 2005 09:45 PM

Uhm, actually, SIP has the possibility to use S/MIME as well. So, as several people have mentioned before, Skype is nothing special. Actually, SIP has a larger market share and it's available all over at least the western world (I haven't checked the East and South yet, but I'd almost be willing to bet). Plus, one can usually select the cheapest available SIP provider and get a decent set of peerings across the world.
For all I know, Skype can get lost. I don't want to use my computer as a telephone - and even if, I'd use something much more implemented across the world.

Posted by: Axel at January 9, 2005 12:02 PM

Second comment, more on-topic. You write: And even if it's not secure, nobody knows that. Security by obscurity does not work, we know that and it's proven. And we know that the only recipe against that is open specs.

Posted by: Axel at January 9, 2005 12:07 PM

Hey Axel,

Hmmm... so if "security by obscurity" doesn't work, then why do so many people use it? And profit by it?

If you look at the GSM crack back in hmmm... 1998, what you see is a system protected by a weak 40bit algorithm which was itself secret. SbO written large. Now, when it was broken by Lucky Green, the point was made that now O(10^8) phones may have to be replaced, and they shouldn't have used security by obscurity. But, this is easy to argue against:

a) it worked up until then, so they acquired a decade's security by using a cheap trick.
b) it's *still* working, in that there isn't any flood of scanners out there that can crack the thing in any sort of useful time,
c) we've actually not heard terribly much about the collapse of the GSM industry, even in the face of the exploit. They're still making money...

So, I think security by obscurity works, and works well. And it's proven by experience.

OTOH, it has a risk. Security by obscurity only provides protection until someone cracks it, and then you are into another regime. The risk of a crack may flip it from strongly protected to weakly protected. Or it may not. Well, I guess in phones they thought that was ok.

The basic way we deal with this is in two aspects: what's your threat model? and what's your cost of failure? If these are low, then security by obscurity may be a good trick to use!

Posted by: Iang at January 9, 2005 12:27 PM

There are numerous examples where security by obscurity so didn't work, it's really sweet. Especially in computer security, security by obscurity does not work well. The machines are much too easy to get by and are much too versatile to work around this. This is different with GSM: the phones are cheap, the backbone technology is effin' expensive.
Another reason why computer security is so inherently much harder to achieve: you have more people hacking it and the subject is much more complex and (at least in the case of Windows) too highly integrated. Break one thing and you won't know what else is broken (in my opinion one of the biggest reasons why the hysteresis loop between detection of a flaw and the availability of the fix is so far removed from realtime with Windows). Fix that thing and you won't know a) if you fixed the related bugs, too and b) what new bugs you introduced.

As you state very aptly, as soon as there's an exploit, SbO is a PITA. It may not be abused widely, but who are we to tell?

Threat models are nice and all that. However, the problem I see with Threat Models is the same as with proving "total security" or proving that a certain app is not exploitable by pen-testing it: one can't be sure that the threat model is complete.

Lay your security architecture open and let the world assess it. Thus, more eyes have looked over it. At least that way, your warm'n'fuzzy feeling is justified. ;-)

Posted by: Axel at January 9, 2005 01:26 PM

Axel, that's a good strong comeback!

Yes, there are numerous examples where SbO fluffed it completely. *BUT* that doesn't mean that as a concept, it is no good, always; For one, those that fluffed it showed themselves incapable of doing better; but someone who knew security may well have got it right. (Recall that the banks in Europe have pushed out a bunch of security systems based on smart cards and great dollops of SbO, and they haven't been unduly hacked.)

It all comes down to WYTM, and what we are trying to protect. Your comment that with "Threat Models ... one can't be sure that the threat model is complete" is very apropos (I wrote about this many times on the SSL page http://iang.org/ssl) but consider for a moment what it means.

The threat model is incomplete. And the security model is incomplete. This doesn't mean we should avoid SbO. What it means is that all models have to go into battle with the understanding that they have weaknesses, and they'd better think about upgrades over their lifetimes. If you haven't got that, you've got nothing, and in a perverse sense, you are better off saying "use SbO now, and be _ready_ to fix it later!"

As Adi Shamir says, there are no secure systems, and the ones that get breached with SbO are not showing their weakness in SbO, but in their inability to respond to changing attacks.

Posted by: Iang at January 9, 2005 01:44 PM

Dana Epp has a reply to that over at his sanctuary at http://silverstr.ufies.org/blog/archives/000775.html - the paragraph titled "Understanding Secretless Security" is a good summary. He's primarily quoting Kevin Day's "Inside the Security Mind".

Then there's Marcus Ranums rant on SbO that is highly entertaining to read, too.

I agree with both. However, it seems to be somewhat of a trust or belief thing.

Where I agree wholeheartedly with you is in the assessment that the prime thing is to be able to change your setup according to changing threats and risks. Adaptability is indeed a very important point.

Posted by: Axel at January 10, 2005 08:36 AM

So, Ian, is your claim that Skype is relatively secure, because no one else is even trying?

Posted by: Adam Shostack at January 10, 2005 01:10 PM

Adam,

Um, in part. AFAIK, nobody else is doing a crypto phone that "just works." Not withstanding the comments above (thanks!) I don't think the SIP alternates are so easy ... are they? I have never come across these solutions myself.

In greater part, though, even if there were better (read: open, audited) solutions, this would not mean that Skype was insecure. Skype would only be insecure if:

a) an exploit was found
b) it was turned into an exploit kit
c) the kit was downloaded and used, and
d) a particular user was targetted by a particular hacker.

That is, your security is dependent on what your threat is. There is no point (other than nerdy fun) in implementing military grade security if your threat is your kid sister. Sure, do it if its free. But if the security costs you money, you have to do the risk-reward equations, in which case, if your attacker (kid sister) doesn't know how to use a computer, then Skype is pretty darn secure for big brothers.

Security is relative. That's the corollary to Adi Shamir's "there aren't any secure systems." All IMHO of course!

Posted by: Iang at January 10, 2005 01:56 PM

On SBO
I really don't like security by obscurity because I really like to know what is going on behind the scene, BUT I admit that it can be quite effective until the technology involved becomes very widespread. Popularity cancels out the effectiveness of the obscurity factor. Skype will be reaching that level of popularity in the next 12 months I am sure.

On SIP
The SIP alternatives really suck compared to Skype. How can I count the ways? They are too complicated for my parents to install, products based on SIP are not user friendly yet, performance issues abound, doesn't work with old gateways, at least not without serious configuration, etc etc (disclaimer: my dad is CTO for a VoIP company that developed one of the first SIP stacks and does integrated VoIP applicances)

On Skype
I have blogged a few times about how much I like Skype. I use it for business as well as with friends. It has many of the most important items I look for in software:

Is it free for me to use? Yes.
Is it immediately intuitive after installation how to use it? Yes
Does it have a pleasing GUI on top of that? Yes
Is it reliable? Yes - It performs well enough even on a crappy 4 year old laptop with built in Mic and speakers (i.e. no headset)
Is it CROSS PLATFORM? Yes - in fact I use it on my Pocket PC (I am sorry to admit) which I can roam around the city connecting to WiFi hotspots with. It also supports Mac and Linux.
Does it have security built in, in a fashion that is transparent to the end user? Yes
Is its source code open at all? No :(
Do they publish their security model like Groove? No :(
http://www.groove.net/pdf/security.pdf

Finally
Does it threaten an established industry that I am not a big fan of and will it force it to transform? I think so.

Go Skype.

Posted by: Nudecybot at January 11, 2005 12:21 PM

@nudecybot: Come on, the user interface of SIP devices is way easier than for Skype: it's a telephone, for heaven's sake! That way everybody can work with it, even computer illiterates. What older gateways won't work with SIP? That was true for H.323, but it isn't for SIP.
I'm willing to agree about the security of SIP, but the principal protocol offers the funcationality.

Posted by: Axel at January 12, 2005 05:40 AM

My apologies Axel I should have mentioned re:SIP that I was talking about freely available software.

Some friends of mine have really banged their heads against walls trying to get MSN messenger to work for voice. When I recommended Skype all their problems went away.

You're absolutely right, an integrated hardware solution such as the one sold by my dad's company, is pretty darn intuitive.

My concern about those is cost and it is really hard to argue with the price of the Skype service.

For now I'm sticking to making phone calls using the following technologies in this order of preference:
1) Skype on PC,laptop or handheld
2) Sprint Canada landline or Vonage VoIP (about 30% cheaper)
3) Cellphone

None of these 3 categories can really stand on its own for my purposes...yet

Ian

Posted by: Nudecybot at January 12, 2005 11:07 AM

Ok enough good stuff about Skype. My biggest security complaint with it currently is that if you leave yourself logged in and then log in from another location, all replies to your instant messages go to both locations.

Which means that if I can figure out your password for skype I can be copied on all messages to you. I am not sure what happens with voice traffic yet. To be tested!

Yeeesh.

Posted by: Nudecybot at January 12, 2005 02:49 PM

Skype is insecure. Period. (although I totally agree with the fact that who would bother listening in!)

A comment above says that no one else is trying. Wrong!

Secure voip totally depends on it being totally peer to peer and running on it's own servers - ie bypassing the public domain. check out www.jeftel.com for a totally secure voip solution. This product is aimed at business users as it does not back out onto a dialling system - it is purely for building a worldwide business network.

For more info on the security steps taken, take a look at the secure email section of the site, as it is built on the same principles.

Plug over!

Simon Parker

Posted by: Simon Parker at January 13, 2005 10:42 AM

Hi Simon,

nah... Jeftel looks totally insecure. Period! Whereas I'll skip to my guns on the Skype issue, at least until someone comes up some better arguments ;-)

The first flaw in your argument - and the difference between our claims - lies in assumptions. Most people who are in security (insecurity!) think this way: identify the product, decide that it's secure, create the security model to show it is secure, run around and call everything else insecure. Another way of saying this is that we pick the assumptions to suit the conclusion.

The second flaw is that security is not a binary choice. Security is relative. It isn't absolute. So saying that "A is secure" and "B is insecure" is meaningless.

This is the whole point: Skype is secure enough. Jeftel might be secure enough too, but I couldn't see the download button, so it's not in the running. Something that can't be used cannot deliver security, sadly. This is the biggest problem with most products in security: they can't be used.

iang

Posted by: Iang at January 13, 2005 11:24 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.