Network Security Special Topic on Skype Security

1
Network Security Special Topic on Skype Security
2
Is Skype Secure?

• Skype is used to call from one PC to another PC.
• Think about it, your conversation is carried by
  routers in the Internet. If someone owns a router
  logs everything, can he figure out what you just
  told your friend?
• The answer is, they cannot and Skype is secure.
  Actually governments are complaining about it
  because the police cannot eavesdrop the call.

3
All data is encrypted

• Everything the sender sends out will be encrypted
  by AES (Advanced Encryption Standard).
• So the encryption makes the data seen at the
  routers unreadable.
• In this sense, Skype is secure from one Skype end
  to the other Skype end.

4
Block Cipher

• AES is a Block Cipher, means that it maps a
  fixed-length (128 bits) input to a fixed-length
  (128 bits) output.
• Given the same input bits, the Block Cipher
  always returns the same output bits. So, it is a
  mapping from the input to the output.
• The decryption algorithm is just the reverse
  mapping.

5
The Key

• The AES algorithm is known to the world. So if
  you can use AES to encrypt your data, anyone will
  be able to use the AES to decrypt your data and
  you achieved nothing.
• So, you must make your encryption unique, even if
  you are using a well-known algorithm.
• How?
• By having a key. The key is unique to each
  session and the encryption result for one key is
  unique to other keys.

6
How AES works

• AES takes 128-bit input and turn it into 128-bit
  output with the help of a 128 bit key (or 192, or
  256). (Skype uses 256 bit key)
• The key is expanded into 11 sub-keys (K0, K1, ,
  K10.)
• s M xor K0.
• Then the following is executed 10 rounds.
• s SBOX(s).
• s shift_row(s).
• s mix_col(s) if not the last round
• s s xor Ki.
• Return s.

7

• The S BOX simply maps the input to an output
  according to a predetermined mapping.
• The shift_row() does the following. Regard the
  16-byte s as a 4 by 4 matrix.

s0 s4 s8 s12 s1 s5 s9 s13 s2 s6
s10 s14 s3 s7 s11 s15
s0 s1 s2 s3 s5 s9 s13 s1 S10 s14 s2
s6 s15 s3 s7 s11

• The mix_col does the following. ai is4 bytes.

02 02 01 01 01 02 03 01 01 02 02 03
03 01 01 02
a0 a1 a2 a3
a0 a1 a2 a3

8
The Integer Counter Mode

• Skype does not encrypt the messages directly in
  this way.
• It xores the plaintext (message) with the output
  of AES when taking a counter as input.
• Just to run faster.

9
Problem solved?

• So, is the problem solved?
• No. How about the key? How can two Skype ends
  agree on the same key?
• Can one end send the key to the other end in
  plaintext?

10
The public/private key.

• Everyone has a public key and private key.
• With Bs public key (pkB) A can encode data that
  only B can decode with his private key (skB)
  because other people does not have Bs private
  key.
• D_skBE_pkB(W) W
• E_pkBD_skB(W) W

11
The public/private key

• So, A can choose a 128-bit string W as the
  session key and send E_pkB(W) to B. B runs the
  decryption algorithm to get D_skBE_pkB(W) W.
• Skype actually asks two ends to both contribute
  128 bits to make the 256-bit session key.

12
The RSA algorithm

• The RSA algorithm is used to get the public
  key/private key.
• Choose two large primes, p and q.
• Compute npq and z(p-1)(q-1).
• Choose a number relatively prime to z and call it
  d.
• Find e such that ed 1 mod z.
• (e,n) is the public key for encoding and (d,n) is
  the private key for decoding.

13
The RSA algorithm

• To encrypt a message M, CMe mod n.
• To decrypt from C, M Cd mod n.
• You can verify (non-trivial!) that
  D_skBE_pkB(M) M and E_pkBD_skB(M) M.

14
Why is RSA secure?

• The problem is, given (d,n), can you figure out
  e?
• It is difficult.
• You can try to find p and q given n. If you
  indeed can, then you get z. Given z and d, you
  get e.
• But it is difficult to factor large numbers.

15
Problem solved?

• If someone calls you and claimed that he is Bob,
  how can you be sure he is indeed Bob before
  saying things confidential?
• Imagine that someone impersonates your spouse and
  ask you to tell her/him your bank password with
  Skype chat.

16
Authentication

• If someone claims he is A, how do you verify?
• He should present something to you which you can
  check and which he can have if and only if he is
  A.
• We can all think of certain things for our real
  friends, but does such thing exist in the
  electronic world?

17
The solution

• Recall that everyone has a public key and a
  private key.
• Suppose Alice and Bob knows each others public
  key.
• If Alice wants to setup a session with Bob, she
  sends Bob a message E_pkBAlice, R_a, meaning
  that I am Alice and I want to talk to you, where
  R_a is a number picked at random.
• Bob replies E_pkAR_a, R_b, K_s, where R_b is a
  number picked at random and K_s is the session
  key.
• Alice replies AES_K_sR_b.
• (not exactly the same as Skypes own protocol,
  but the idea is the same)

18
Explanations

• Message 2. When Alice gets E_pkAR_a, R_b, K_s,
  she can decrypt it and can get R_a, R_b, K_s.
  When she sees R_a, she knows that this is the
  response she is waiting for and the sender must
  be Bob. Why?
• Because no one except Bob knows how to decode
  E_pkBAlice, R_a to get R_a and R_a is totally
  random and it is impossible for one to guess it
  right.

19
Explainations

• Message 3. When Bob gets AES_K_sR_b, he can use
  K_s to decode it to get R_b. Then he knows that
  this must be the message he is waiting for and
  the one who sent the first message must be Alice.
  Why?
• Because no one except Alice knows how to decode
  E_pkAR_a, R_b, K_s to get R_b and K_s to get
  AES_K_sR_b.

20
Is problem solved?

• How can Alice and Bob know each others public
  key?
• Can Alice send a message to Bob to ask him to
  send her pkB?
• No. Tom may intercept this message and return
  Alice a message with his key or some junk.

21
Solution?

• Ask someone with authority, say, C.
• Alice asks C can you tell me the public key of
  Bob?
• C replies Here you are, pkB.
• Will this work?
• No. Because how can Alice be sure that this
  message is from C and not from Tom?

22
Solution

• Because C is well-known, Alice remembers his
  public key.
• So when C sends Alice the reply, he signs it
  with his private key D_skC(pkB, I am sending you
  the public key of Bob as you requested).
• When Alice gets this message, she knows that this
  must be from C and can be trusted.

23
Problems?

• If everyone must contact C before the session
  begins, can C still handle it?
• Note that the RSA algorithm involves
  multiplications of large numbers and is slow.

24
Solution

• In fact, C does not have to answer the reply in
  real time.
• He can send Bob a certificate like D_skCI
  hereby certificate that this key
  belongs to Bob. Bobs IP address is and
  his email is _at__at__at__at_.
• Later, when Bob wants to prove he is indeed Bob,
  he can just present this to Alice.
• Actually, it is D_skCSHA_1I hereby certificate
  that this key belongs to Bob. Bobs
  IP address is and his email is _at__at__at__at_. and
  C is called Certificate Authority (CA).

25
Optimizations

• Still, signing all these certificates is too much
  for a single machine.
• There is PKI (Public Key Infrastructure) as a
  tree. You have a root, Regional Authorities, and
  CAs.
• A node certifies the nodes under it by signing.
• Chain of trust.