i'll bite:
according to http://en.wikipedia.org/wiki/Skype_security they encrypt UDP
traffic with AES in counter mode. there's a Wikipedia entry on that too.
if you're serious about coding this stuff, you'd be well served by getting
your hands on the book "Network Security with OpenSSL", from O'Reilly.
it's a little outdated, but much more practical than, say, "Applied
Cryptography": it's filled with code examples, including an AES counter
mode implementation and lots of advice for setting up a CA, issuing &
handling certificates, etc. e.g.:
http://books.google.com/books?id=FBYHEBTrZUwC&pg=PA189&lpg=PA189&dq=udp+counter+mode
finally, you don't want to use IPsec. also DTLS is fairly new to OpenSSL
(and vulnerable before 0.9.8f) and there's not really much documentation
out there on using it or UDP datagram BIOs (try a google code search for
BIO_TYPE_DGRAM), but it's possible.
hope this helps!
/|_||)|/_
\| ||\| /
c
On Sat, 10 Jan 2009, dennis menace wrote:
Hi All!
I am looking for real-time encryption methods/protocols for streaming A / V /
Text data.
I plan to build an app similar to Skype and since Skype doesn't really reveal
much about
its security architecture, I'm looking for ingenious solutions. Any
suggestions/help
would be welcome.
From whatever research I did about Skype, I found the following things:
* Skype has implemented majority of its encryption modules by itself and
which are
built to comply with standards but applied in their own ingenious ways such
as the
AES block cipher, the RSA public-key cryptosystem, the ISO 9796-2 signature
padding
scheme, the SHA-1 hash function, and the RC4 stream cipher.
* It uses 256-bit encryption in order to actively encrypt the data in each
Skype call
or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES
keys. User
public keys are certified by the Skype server at login using 1536 or
2048-bit RSA
certificates. The key size used for signing here is 1536-2048, which is
significantly
greater than 1024-bit keys that are a global norm.
* It has also set up its own CA for authentication. On first usage, a client
contacts
Skype's master server which issues a certificate from its indigenous CA.
* Besides the above cryptographic algorithms, Skype has also implemented its
own
proprietary key-exchange protocol which it uses for key exchange. I guess
they have
borrowed most of the features of SSL and implemented it according to their
needs
besides "fixing" its need for a connection-oriented protocol.
I guess we could also have the same functionality using IPSec in "transport"
mode and
creating a indigenous CA.. I DO NOT PLAN TO USE VPNs, so using "tunnel" mode is
out of
question...
The question is, HOW can we use IPSec to secure UDP data communication???
(since using
TCP to transport A / V data would cause huge latency "delays".. So SSL is also
out of
question...)
One more option would be to use DTLS but I'm really a newbie to this one - help
needed...
Another option would be to use SSH but again, I'm not sure if it can be used
with UDP and
also about its authentication methods. Comments would be welcome.
Also, I'm looking for suitable forums/IRC channels to discuss the topic more.
Could the
people here suggest me some???
Regards,
D3|\||\|!$
_______________________________________________
p2p-hackers mailing list
[email protected]
http://lists.zooko.com/mailman/listinfo/p2p-hackers
