1 / 44

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol. Salman Abdul Baset and Henning Schulzrinne December 15, 2005. Agenda. What is Skype? What problems does it solve? The Skype network The Skype software components Experimental setup The Skype functions How to block Skype?

dunne
Télécharger la présentation

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman Abdul Baset and Henning Schulzrinne December 15, 2005

  2. Agenda • What is Skype? • What problems does it solve? • The Skype network • The Skype software components • Experimental setup • The Skype functions • How to block Skype? • Skype, MSN, and Yahoo • Disassembling the executable • Unanswered questions

  3. What is Skype? • Peer-to-peer, pc-to-pc, pc-to-phone, phone-to-pc VoIP client • Developed by people who created KaZaa • First version in September 2003 • 60,000 downloads in first week, 219 million downloads (till yesterday) • Current version: 1.4.0.84 and 2.0 beta • SkypeOut (pc-to-phone) introduced in July 2004 • SkypeOut terms of service: governed by the laws of Luxembourg • SkypeIn, voicemail • OS: Windows, Linux, MacOS, PocketPC

  4. What problems does it solve? • NAT and firewall traversal • Nielsen September 2005 ratings • 61.3% of US home internet users use broadband (http://www.nielsen-netratings.com/pr/pr_050928.pdf) • ‘Most’ users have some kind of NAT • Superior voice quality than MSN or Yahoo IM clients • Phone-to-pc calling, SkypeIn • Yahoo is starting to imitate Skype services

  5. A p2p illusion? • Login server • Servers for SkypeOut and SkypeIn • Anonymous call minutes statistic gathering

  6. The Skype Network

  7. The Skype Network (contd…) • Ordinary host (OH) • A Skype client • Super nodes (SN) • A Skype client • Has public IP address, ‘sufficient’ bandwidth, CPU and memory • Login server • Stores Skype id’s and passwords • Used at login for authentication • Version 0.97: 80.160.91.11 now: 212.72.49.141 and 195.215.8.141

  8. Skype Components • Ports • No default listening port • Randomly chooses a port (P1) on installation • Opens TCP, UDP listener sockets at P1 • TCP listener sockets at port 80, 443

  9. Skype Components (contd…) • Host cache (HC) • IP address and port number of online Skype nodes (SNs) • At least one valid entry must be present in HC • Maximum size: 200 entries • ‘Understanding KaZaa’: 200 entries for ordinary node (ON) • Login server IP address and port number • Stored in Windows registry in version 0.97 • Now present at C:\Documents and Settings\All Users\Application Data\Skype

  10. Skype HC (ver: 0.97)

  11. Skype HC

  12. Skype Components (Contd…) • Codecs (GlobalIPSound) • Wide band codecs (50-8,000 Hz) • iLBC (packet size: 20 and 30 ms bitrate: 15.2 kbps and 13.3 kbps) • iSAC (packet size: 30-60 ms bitrate: 10-32 kbps) • G.729 for SkypeOut? • Buddy list • Stored in ‘config.xml’ file • C:\Documents and Settings\<XP user>\Application Data\Skype\<skype user id> <CentralStorage> <LastBackoff>0</LastBackoff> <LastFailure>0</LastFailure> <LastSync>1120325519</LastSync> <NeedSync>0</NeedSync> <SyncSet> <u> <skypebuddy1>f384d3a0:1</skypebuddy1> <skypebuddy2>7d1dafc4:1</skypebuddy2>

  13. Experimental Setup • I have NOT reverse engineered Skype executable but it can be done • Skype version: 0.97.0.6, 1.0, 1.2, 1.4 • Experiments performed between Feb-May 2004, June-July and Nov-Dec 2005. • Tools Used • Ethereal (for packet capture) • NetPeeker (for tuning the bw) • NCH Tone generator(for generating tones of various frequencies) • APIMonitor (for monitoring the sys calls)

  14. Experimental Setup (Contd…)

  15. Skype Functions • Startup • Login • User Search • Call Establishment • Media Transfer • Keep-Alive • NAT and firewall Traversal • Conferencing

  16. Skype Functions: STARTUP • First time startup • GET /ui/0/97/en/installed HTTP/1.1 • Normal startup • GET /ui/0/97/en/getlatestversion?ver=0.97.0.6 HTTP/1.1

  17. Skype Functions: LOGIN • Must establish a TCP connection with SN • HC must contain at least one valid SN • Bootstrap Super Nodes

  18. Skype Functions: LOGIN • Public, NAT • Establish a TCP connection with the SN • Authenticate with the login server • Announce arrival on the network (controlled? flooding) • Determine NAT type? • Firewall • Establish a TCP connection with the SN • Authenticate with the login server

  19. Skype Functions: LOGIN 16 3 1 0 0 17 3 1 0 0 16 3 1 0 0 . . . . 17 3 1 0 0 len . . . .

  20. Skype Functions: LOGIN • 1536 and 2048 (skype account) bit RSA to negotiate symmetric AES keys • Central Server Signing Key SS and Verification Key VS • Client: user name A, password PA, RSA key pair SA and VA • VS embedded in the Skype executable • 256 bit AES session with the login server • Key is chosen at random and encrypted with the public key of the login server • {A, H(PA), VA} VS to login server (msg 3) • {A, VA} SS to client (msg 4) • Source: Tom Berson’s security evaluation

  21. Skype Functions: LOGIN

  22. Skype Functions: LOGIN

  23. Skype Functions: USER SEARCH • From the Skype website • Global Index (GI) Technology • Guaranteed to find a user it exists andlogged in the last 72 hours • Search results are cached at intermediate nodes • Unable to trace messages beyond SN • Cannot force a node to become a SN • Host cache is used for connection establishment and not for SN selection • User does not exist. How does search terminate? • SN searches for a user behind UDP-restricted firewall • Same search query from two different machines initiated at the same time give different results • Wildcard queries supported

  24. Skype Functions: USER SEARCH

  25. CALL ESTABLISHMENT • Call signaling always carried over TCP • Calls to non buddies=search+call • Initial exchange checks for blocked users • Public-public call • Caller SC establishes a TCP connection with callee SC • Public-NAT • Caller SC is behind NAT • Caller---->Skype node (SN?) ----> Callee • TCP connection established between caller, callee, and more than one Skype nodes • Unknown: How a node is selected to route calls from caller to callee? • Perhaps determined at login • Firewall-firewall call • Same as public-NAT

  26. CALL ESTABLISHMENT

  27. Skype Functions: MEDIA TRANSFER • 10/100 Mbps Ethernet

  28. Skype Functions: MEDIA TRANSFER • No silence suppression • Silence packets are used to • play background noise at the peer • maintain UDP NAT binding • avoid drop in the TCP congestion window • Putting a call on hold • 3 packets/sec to call-peer or Skype node • same reasons as above • Codec frequency range • 50-8,000 Hz (total bw of 3 kilobytes/s) • Reasonable call quality at (4 kilobytes/s)

  29. Skype Functions: KEEP ALIVE • Refresh message over TCP to SN every 60 seconds • Refresh message size: 60 bytes

  30. Skype Functions: CONFERENCING • A, B, and C have public IP addresses A: Pentium4, 2GHz 1: B-A Call B: PentiumII , 300 MHz C: Pentium Pro 200 MHz

  31. Skype Functions: CONFERENCING • A, B, and C have public IP addresses A: Pentium4, 2GHz 1: B-A Call B: PentiumII , 300 MHz 2: B-C Call C: Pentium Pro 200 MHz

  32. Skype Functions: CONFERENCING • A, B, and C have public IP addresses A: Pentium4, 2GHz 1: B-A Call B: PentiumII , 300 MHz B decides to initiate a conference 2: B-C Call C: Pentium Pro 200 MHz

  33. Skype Functions: CONFERENCING • A, B, and C have public IP addresses A: Pentium4, 2GHz B A+C B: PentiumII , 300 MHz C A+B C: Pentium Pro 200 MHz

  34. Skype Functions: CONFERENCING • B and C are behind NAT. A has public IP addresses B A: Pentium4, 2GHz Online Skype node A 1: B-A Call A B B: PentiumII , 300 MHz C: Pentium Pro 200 MHz

  35. Skype Functions: CONFERENCING • B and C are behind NAT. A has public IP addresses A: Pentium4, 2GHz (public IP) Online Skype node B C A+B A+C B: PentiumII , 300 MHz (NAT) C: Pentium Pro 200 MHz (NAT)

  36. How to block Skype? • Block IP address and port of Skype login servers. • Skype goes through super nodes. • Inspect TCP payload of login messages and block outgoing login messages. • Skype is blocked.

  37. Skype, MSN, and Yahoo

  38. Call / IM Forking • User can login from multiple machines • All Skype instances notified of call arrival • Pickup, cancel at other locations • IMs delivered to all locations

  39. Skype Online Users

  40. Breaking the executable • Skype does not run with ltrace • Skype does run with strace • nm does not reveal anything • libcrypt is (perhaps) statically linked. ldd does not reveal anything • Skype can be run with SoftICE, OllyDbg • LD_PRELOAD technique

  41. Unanswered questions • How Skype encrypts and decrypts? • SN to SN communication? • One hop or multiple hop media relaying? • How does search terminate if the user is not found?

  42. Conclusion • Login server and super nodes, not strictly peer-to-peer • Code obfuscation, runtime decryption • Multiple paths for ‘in-time’ switching incase of failures • Other companies are following Skype • damaka, peerio, pc-telephone

  43. References • Skype reports: http://www1.cs.columbia.edu/~salman/skype/ • iSAC: http://www.globalipsound.com/datasheets/iSAC.pdf • iLBC: http://www.globalipsound.com/datasheets/iLBC.pdf

  44. Questions?

More Related