[125787] in cryptography@c2.net mail archive
Re: survey of instant messaging privacy
daemon@ATHENA.MIT.EDU (alex@alten.org)
Wed Jun 11 10:28:54 2008
From: alex@alten.org
To: "Marcos el Ruptor" <ruptor@cryptolib.com>
Cc: Cryptography <cryptography@metzdowd.com>
Date: Tue, 10 Jun 2008 18:02:15 -0700
[Moderator's note: Please don't send giant run on paragraphs to the
list. They're hard to read. --Perry]
> From: "Marcos el Ruptor" <ruptor@cryptolib.com>
> > Interesting. Of course, with the possible exception of Skype,=20
> > only the over-the-network part of the communication is=20
> > protected. The IM providers can still give the contents of your=20
> > communications to third parties.
>=20
> As far as I can tell after having reverse engineered its protocol,=20=20
> Skype is actually very well made with a few exceptions that would=20=20
> still be next to impossible to exploit for a street hacker (and=20
A year ago when I took a hard look at the Skype login protocol (via public =
reverse engineering publications, etc.), I determined that the user id to p=
ublic key binding was fundamentally weak. If I remember correctly they wer=
e vulnerable to at least one attack, a dictionary attack against a password=
of a user account is possible using the Skype login client-server messages=
(they can't tell you are attacking since the account name and password are=
hashed together in the public key/AES encrypted request and you are using =
one of the well-known 14+ valid Skype public keys). Their multiple layerin=
g of crypto obscures things but with software one can automate the building=
of the login request encrypted layers fairly easily. Once you get a valid=
user cert from the login attack it looks like that account is permanently =
compromised (I didn't see any user cert validity period). Because of Kerck=
hoff's principles there is really no way Skype can prevent this attack (bas=
ically they are using the data channel itself to distribute the user certs =
(with public & private auth keys) to then establish an enciphered phone ses=
sion over it). They also have at least one back door mechanism in place, =
which could be used to quickly compromise a user password. They allow a us=
er that forgot their password to have it reset and sent to their enrollment=
email address so that a Tier 1 IDS like Narus could easily scoop it up (th=
is requires careful social engineering). Also, any SSL traffic to a Skype =
server can be MITM intercepted (say via a Bluecoat ProxySG appliance) using=
a ICA cert from a major CA vendor (or internal corporate CA) and any user =
passwords could be scooped up that way as well.
Thus a retail level wiretap attack against a particular user is quite possi=
ble. Having said that because the 14+ private Skype keys are (only?) store=
d on their servers, it does not look like a wholesale attack against the Sk=
ype system is easy to do (although they did use MD5 in their login algorith=
m). However, given this centralization of Skype keys, they certainly could=
cooperate with any CALEA warrants, etc., by giving police the user certs t=
o be wiretapped (which still requires an active MITM during the setup hands=
hake of the encrypted channel between the two user end-points). Of course,=
if physical theft occurs of the 14+ Skype PKI private keys then the whole =
security ediface will collapse.
- Alex
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
