On Sun, 23 Oct 2005, Joseph Ashwood wrote:

----- Original Message ----- Subject: [Tom Berson Skype Security Evaluation]

Tom Berson's conclusion is incorrect. One needs only to take a look at the
publicly available information. I couldn't find an immediate reference
directly from the Skype website, but it uses 1024-bit RSA keys, the coverage
of breaking of 1024-bit RSA has been substantial. The end, the security is flawed. Of course I told them this now years ago, when I told them that 1024-bit RSA should be retired in favor of larger keys, and several other people as well told them.

More worrying is the disconnect between the front page summary and the body of the review. If one only reads the summary, then one would only see the gushing praise and not the SSH protocol 1-esque use of a weak CRC as a integrity mechanism (section 3.4.4) or what sounds suspiciously like a exploitable signed vs. unsigned issue in protocol parsing (section 3.4.6).

Also disappointing is the focus on the correct implementation of cryptographic primitives (why not just use tested commercial or open-source implementations?) to the exclusion of other more interesting questions (at least to me):

- What properties does the proprietary key agreement protocol offer (it
  sounds a bit like an attenuated version of the SSH-1 KEX protocol and,
  in particular, doesn't appear to offer PFS).

- Does the use of RC4 follow Mantin's recommendations to discard the
  early, correlated keystream?

- How does the use of RC4 to generate RSA keys work when only 64 bits of
  entropy are collected from Skype's RNG? (Section 3.1)

- Why does Skype "roll its own" entropy collection functions instead of
  using the platform's standard one?

- Ditto the use of standard protocols? (DTLS would seem an especially
  obvious choice).

- What techniques (such as privilege dropping or separation) does Skype
  use to limit the scope of a network compromise of a Skype client?

-d


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to