----- Original Message ----- From: "Adam Shostack" <[EMAIL PROTECTED]> To: "David Wagner" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Saturday, January 29, 2005 1:48 AM Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute
[...] > The 'vastly more secure' is not my claim. My claim is that it is > somewhat better. Even if it's using an RC4 key of all-zeros, it is > somewhat better than what I have today, because today, my voip calls > don't even have that, and as far as I can see, I can use asterisk's > codec translator API to turn tcpdump captured streams into mp3. > (http://www.asterisk.org/index.php?menu=architecture). The effort to > get skype data is slightly higher. Until shown otherwise, I expect a > grad student could do it in a weekend. However, that same grad > student could build me a wiretap for VOIP in an hour. (By which > metric, Skype is nearly 50x as secure!!!! :) [...] > I hate arguing by analogy, but: VOIP is a perfectly smooth system. > It's lack of security features mean there isn't even a ridge to trip > you up as you wiretap. Skype has some ridge. It may turn out that > it's very very low, but its there. Even if that's just the addition > of an openssl decrypt line to a reconstruct shell script. Actually it's not that bad: using SIP, the RTP packets can be protected by SRTP (RFC3711, with an opensource implementation from Cisco at http://srtp.sourceforge.net/ ) and the SIP signalling, as per RFC2246, can go over TLS. It's more an issue of deployment than standards, possibly due to CALEA-related pressures on service providers, but some manufacturers of hardware do support VoIP security: see e.g. what is claimed at http://www.snom.com/phones.html?&L=1 . Enzo --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
