[15364] in cryptography@c2.net mail archive
Re: Can Skype be wiretapped by the authorities?
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Sat May 8 16:34:02 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <408EE36F.32542.2079C3@localhost>
Date: Thu, 29 Apr 2004 10:49:00 -0400
To: "Axel H Horns" <axel.h.horns@gmx.net>, cryptography@metzdowd.com
From: "Arnold G. Reinhold" <reinhold@world.std.com>
At 10:49 PM +0200 4/27/04, Axel H Horns wrote:
>Is something known about the details of the crypto protocol within
>Skype? How reliable is the encryption?
>
>See e.g.
>
>http://www.financialcryptography.com/mt/archives/000076.html
>
>Can Skype be wiretapped by the authorities? With collaboration of the
>Skype operator? Without?
>
From the Skype FAQ http://www.skype.com/help_faq.html:
"Is the source code for Skype available? Can I have a copy?
No. Skype is proprietary and closed-source software."
In a closed source system it is certainly possible for the authors to
provide "backdoors" that would allow wiretapping. There are many
ways to do this. Perhaps the simplest way is to constrain the random
number generator to select values from a limited, searchable set of
possibilities. The constraint might be turned on by receipt of a
special message.
The backdoor could be included in all copies of the program or just
selected copies, particularly if there are provisions for automatic
updates. A backdoor could also be delivered as a virus or worm.
If the authorities can gain one-time physical access to one of the
computers in the Skype network, all encrypted communication to and
from that computer as an end point can be compromised regardless of
how well Skype has designed its system (this does not include
messages relayed by that computer if Skype has done things right).
This is not to suggest that Skype is a bad product or that all
open-source encryption solutions are safe, but a closed-source system
is only as trustworthy as its authors.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
