Indeed it was understood that skype's coding was described as akin to a
"polymorphic virus". However it was also considered that this was for
business reasons to make it difficult for competing products to interoperate
at the codec, and protocol level.
I notice that those two papers do NOT make the claim that skype learns the
communications encryption session key as part of the protocol, but rather as
I was saying, their only ability stemmed from being the CA issuing identity
certificates, and therefore could construct two fake certificates, and
somehow persuading the p2p network to route the real users to the MITM
(holding a fake cert for both parties).
(The session key that is mentioned as part of the server auth protocol is
used to encrypt the hashed password and emphemeral RSA key used for
authentication, not as far as I understand the traffic, that happened
end2end in a separate protocol).
Adam
On Wed, May 22, 2013 at 07:41:38PM +0200, Dominik Schürmann wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks,
we recently wrote a small section about skype with some references:
http://sufficientlysecure.org/uploads/skype.pdf
Interesting references (from 2005, 2006):
http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf
http://secdev.org/conf/skype_BHEU06.pdf
In my understanding it provided some sort of "minimum" end-to-end
security in the past, but it could never be verified as it is a highly
obfuscated protocol.
Regards
Dominik
On 22.05.2013 19:28, Florian Weimer wrote:
* Adam Back:
If you want to claim otherwise we're gonna need some evidence.
<https://login.skype.com/account/password-reset-request>
This is impossible to implement with any real end-to-end security.
_______________________________________________ cryptography
mailing list cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJRnQNPAAoJEHGMBwEAASKC5woH/3RJCrM4mXhvFwAHCGf4Hdpo
dtP5NkZNHTrpTT2Gj6ECbfbD6GZLg+RxeBimDiVEpIovW9lyB/T3bV/yBqkE7ZDV
xdFYGMH5+ZBxpg8q3K8D6hL1maLSV7DWRyye5z45/DVmLPe1Sax3Dh7XHOn1k0k8
VI3ck/YLTaOIBhaifc7qXBAV8gWs/GjCpr+o3+S23SLLTWV8Qla2nucwCdtKVQAM
LWMH5I0mBMssVF3dKkPvGtinoJ51gqiZb19z+2DwNucRPHOo2+kZNFpjafNKqjsh
1TGU1d/DmUsDQsMeUoprRG2yt6hORIb2ZYgG49JzuQa7Zya3TIzhGsfIjN5Nk8M=
=yIS5
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
