1 / 47

VoIP and Skype Security

VoIP and Skype Security. Simson L. Garfinkel MIT's Computer Science and Artificial Intelligence Laboratory 1/26/2005. Graduate of Dept. of IM Wendy Y.F. Wen. Outline. Preface Introduction Skype Security Issues Privacy Authenticity Availability Survivability Resilience

dionnec
Télécharger la présentation

VoIP and Skype Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VoIP and Skype Security Simson L. Garfinkel MIT's Computer Science and Artificial Intelligence Laboratory 1/26/2005 Graduate of Dept. of IM Wendy Y.F. Wen

  2. Outline • Preface • Introduction • Skype Security Issues • Privacy • Authenticity • Availability • Survivability • Resilience • Integrity (conversation) • Integrity (system) • Recommendations • News about Skype oplab,im,ntu

  3. Preface oplab,im,ntu

  4. Why to study this paper? • FCC主席Michael Powell說:「我下載完 Skype,就知道舊的通訊方式已經結束了 … KaZaA 創始人免費散佈的這款小程式,可以用來撥打世界任何角落的網路電話,而且音質極好又是免費的,這就意味著完了。世界現在將不可避免的發生變化」。《Fortune,2004/2/16》 • Skype創辦人Niklas Zennstrom:「付費電話屬於上個世紀的事。Skype 軟體為人們提供了一種新的威力-人們只需利用現有的技術和網路投資,就能以較低的費用與家人和朋友保持聯絡」。 oplab,im,ntu

  5. 2004/12/16 oplab,im,ntu

  6. Introducton oplab,im,ntu

  7. Techniques for VoIP (1/2) • With the deployment of high-speed Internet connectivity, a growing number of users are using the Internet for voice telephony. • A VoIP adapter can be used to convert electrical signals from a standard analog telephone to Internet packets. • VoIP gateways interconnect the Internet-based systems with the world-wide PSTN. oplab,im,ntu

  8. Techniques for VoIP (2/2) • Many different and incompatible techniques for VoIP: • ITU- standard H.225 • IETF-SIP (Session Initiation Protocol) • Cisco-SCCP (Skinny Client Control Protocol) • … oplab,im,ntu

  9. Why is VoIP not reaching the mainstream market? • Products which have acost-saving advantage over standard telephones do not have comparable quality. • Call-completion rates are very low due to firewalls and NAT. • The UI is bloated and requires substantial configuration and technical skills. http://www.skype.com/products/explained.html oplab,im,ntu

  10. Skype Technologies S.A. • Registered in Luxembourg • Founded by Janus Friis and Niklas Zennstrom • the same entrepreneurs who developed the popular KaZaA file trading system oplab,im,ntu

  11. Skype System • A proprietary VoIP system • Based on peer-to-peer technology • Being free of adware and spyware • Earning revenue by charging for the use of the gateway, interconnected Skype network with PSTN oplab,im,ntu

  12. Skype vs. Other VoIP Systems (1/2) • Skype is wildly popular. • Both the Skype software and use of the Skype network is free. • There is a nominal charge for calls made using the “Skype Out” and "SkypeIn" features. • Skype is much easier to use than other VoIP systems. oplab,im,ntu

  13. Skype vs. Other VoIP Systems(2/2) • Skype has an astonishingly good voice compressor. • In additional to voice telephony, Skype supports instant messaging, search, and file transfer. • Skype is encrypted. oplab,im,ntu

  14. ISDN • ISDN is another form of digital telephony system that is popular in Europe and Asia. • ISDN is similar to VoIP in that voice is digitized before it is sent over the network. • ISDN telephone lines require special instruments in order to use them. oplab,im,ntu

  15. Skype vs. ISDN • Voice calls placed over Skype are different from over ISDN telephones in several ways: • Network: Skype uses Internet; ISDN uses PSTN. • Security: Skype is encrypted; ISDN phone calls are not encrypted. • Fee: Skype is free; ISDN phone calls are rarely free. • Additional function: Skype does not support video conferencing, but ISDN does. oplab,im,ntu

  16. Skype vs. Peer-to-Peer (1/2) • Skype is making it different from a "pure" P2P system: • Skype relies on a central authentication server to authenticate users and software distributions. oplab,im,ntu

  17. Skype vs. Peer-to-Peer (2/2) • When Skype is run on a computer that has a public IP address, it can become a “super-node”. These computers are used as rendezvous points so that computers behind firewalls can receive connections from other Skype users. • Although Skype refuses to explain the details of their protocol, it is likely that computers behind firewalls scan the Internet looking for super-nodes, then form and maintain long-term connections with these other computers. The super-nodes then proxy connections to the encumbered connections behind the firewalls. oplab,im,ntu

  18. Skype SecurityIssues oplab,im,ntu

  19. Is Skype secure? Answering this question is difficult… (1/2) • Security is not some abstract quality that can be analyzed in isolation. • The overall security of a Skype conversation depends on many factors. (ex:computer, network ...) • TheSkypeprotocol is bothproprietary and secret. oplab,im,ntu

  20. Is Skype secure? Answering this question is difficult… (2/2) • Because Skype is mostly a P2P system, the overall security can be affected by third parties that are in the network. • Because Skype program can update itself as it runs, the security over the overall system can change without warning or even a change in appearance. oplab,im,ntu

  21. Security Issues • Privacy • Authenticity • Availability • Survivability • Resilience • Integrity (Conversation) • Integrity (System) oplab,im,ntu

  22. Issue 1: Privacy • Skype appears to encrypt or otherwise scramble information that is transmitted over the Internet. • The security of data sent over an encrypted or scrambled connection depends on many factors: • specific encryption or scrambling algorithms, • key management, • implementation of the algorithms, • protocol of the algorithms, • … oplab,im,ntu

  23. Privacy (con’t) • An analysis of the packets indicates that : • HTTP protocol • authenticating and registering • communicating • transmitting an encrypted conversation (voice, IM, files ) oplab,im,ntu

  24. Privacy (con’t) • The conclusion is that while the actual communications between Skype clients appears to be encrypted, searches conducted on behalf of Skype users are observable by the Skype network. oplab,im,ntu

  25. What if Skype Really Does Use Encryption? • Skype claims that its system uses the : • RSA encryption algorithm for key generation • 256-bit AES as its bulk encryption algorithm • Challenges: • Skype does not publish its key exchange algorithm and its over-the-wire protocol. • Skype refused to explain the underlying design of its certificates, its authentication system, or its encryption implementation. oplab,im,ntu

  26. Skype users should be aware of… • The security of Skype can be subverted through the use of spyware on the user’s computer. • All IM conversations are recordeddefaultly. These files could be retrieved through the use of spyware. • Supernode may monitor the voice traffic moving through it. • The SkypeIn and Skype Out services may use encryption to the Skype gateways, but at that point the telephone calls are decrypted and sent over the standard PSTN. oplab,im,ntu

  27. Remember that… The security of the Skype system also depends entirely on the good will of Skype’s programmersandthe organization running Skype’s back-end servers. oplab,im,ntu

  28. Issue 2: Authenticity • Every Skype user has a username and a password. • Each username has a registered email address. • Email Based Identification and Authentication. • The Skype client has the ability to “remember” the username/password and log in automatically. oplab,im,ntu

  29. Authenticity (con’t) • User identities is digitally signed by an RSA private key. The matching RSA public key is embedded into every Skype executable. • Skype provides similar levels of authentication as MSN or AOL. • No special method to protect authenticity. • It isn’t clear how verification is done. • Voice Is a Biometric. oplab,im,ntu

  30. Authenticity (con’t) • Several attacks may be possible: • Fake Skype client • Fake ISP • maliciousISP • Fake valid authentication oplab,im,ntu

  31. The way to get your password: • An adversary: • Guessing • Social engineering • Keystroke loggers • Intercepting email used for password recovery • An computer administrator: • Leak passwords • Reset passwords • Empower attackers to impersonate user oplab,im,ntu

  32. Issue 3: Availability • The availability of the PSTN is 99.99905%. • Internet service is, in general, inferior to telephone service. • Additional factors may compromise Skype’s potential availability. oplab,im,ntu

  33. Issue 4: Survivability • The ability of a system to continue to operate after it has been degraded. • The Internet’s design allows Internet providers to choose how survivable they wish to make their networks. oplab,im,ntu

  34. Survivability (con’t) • Most Internet users and many ISPs have not deployed systems that can withstand the arbitrary failure of one or more components. • Survivable systems are generally more expensive. • Survivable systems rarely provide better day-to-day performance. • It is not known if Skype's authentication servers can survive network disruptions or attacks. oplab,im,ntu

  35. Issue 5: Resilience • Internet connections in many cases can be restored more quickly than traditional telephone. • Skype and other VoIP-based systems are highly tolerant of a user’s IP address changing from day-to-day. Thus, they are generally very resilient to local network disruption. • Skype clients almost certainly could not operate if Skype’s backend authentication network were to become unavailable. oplab,im,ntu

  36. Issue 6: Integrity (Conversation) • Skype’s integrity provisions are completely unknown. • Skype makes no guarantees that Instant Messages or files will be delivered as they were transmitted. • Skype’s voice quality only suffers considerably in 802.11 wireless network. oplab,im,ntu

  37. Issue 7: Integrity (System) • Network administrators are understandably concerned when users download and run software that might have wide-ranging implications. • It should be noted that many of the risks posed by Skype are no different than the risks posed by email and other person-to-person communications medium... • Voice communication: Skype probably poses less risk. • Exchange files: Skype poses less risk. • Anti-virus protection: Skype poses more risk. oplab,im,ntu

  38. Recommendations oplab,im,ntu

  39. Comparison: • Skype appears to offer significantly more security than conventional analog or ISDN voice communications, but less security than VoIP systems running over VPNs. oplab,im,ntu

  40. When using Skype, the following may be helpful: • All PCs running the Windows operating system should be equipped with up-to-date anti-virus and anti-spyware programs. • The username/password combination used for Skype shouldn’t be used for anything else. • The username used for Skype shouldn’t be readily identifiable. oplab,im,ntu

  41. When using Skype, the following may be helpful: • Both Skype usernames and passwords should be changed on a regular basis if the Skype network is used for any kind of sensitive discussions. • Skype users should assume the Skype system could become permanently unavailable at any moment. oplab,im,ntu

  42. When using Skype, the following may be helpful: • Do not assume that the person behind a Skype username today is the same person that it was yesterday. • Although Skype insists that it’s voice system cannot transfer a virus, there is no evidence of this claim. oplab,im,ntu

  43. The News about Skype oplab,im,ntu

  44. 2005/10/15 oplab,im,ntu

  45. 2005/12/04 oplab,im,ntu

  46. 2006/02/04 oplab,im,ntu

  47. Reference • Skpye官方網站:http://www.skype.com/ • Skype中文官方網站: http://www.skype.com/intl/zh-Hant/ • http://tw.news.yahoo.com/051015/215/2f081.html • http://tw.news.yahoo.com/051214/215/2n4cg.html • http://tw.news.yahoo.com/060204/19/2tl6y.html oplab,im,ntu

More Related