Network Security – Special Topic on Skype Security

Is Skype Secure?

• Skype is used to call from one PC to another PC.• Think about it, your conversation is carried by

routers in the Internet. If someone owns a router logs everything, can he figure out what you just told your friend?

• The answer is, they cannot and Skype is secure. Actually governments are complaining about it because the police cannot eavesdrop the call.

All data is encrypted

• Everything the sender sends out will be encrypted by AES (Advanced Encryption Standard).

• So the encryption makes the data seen at the routers unreadable.

• In this sense, Skype is secure from one Skype end to the other Skype end.

Block Cipher

• AES is a Block Cipher, means that it maps a fixed-length (128 bits) input to a fixed-length (128 bits) output.

• Given the same input bits, the Block Cipher always returns the same output bits. So, it is a mapping from the input to the output.

• The decryption algorithm is just the reverse mapping.

The Key

• The AES algorithm is known to the world. So if you can use AES to encrypt your data, anyone will be able to use the AES to decrypt your data and you achieved nothing.

• So, you must make your encryption unique, even if you are using a well-known algorithm.

• How?• By having a key. The key is unique to each session

and the encryption result for one key is unique to other keys.

How AES works• AES takes 128-bit input and turn it into 128-bit

output with the help of a 128 bit key (or 192, or 256). (Skype uses 256 bit key) 1. The key is expanded into 11 sub-keys (K0, K1, …,

K10.) 2. s = M xor K0.3. Then the following is executed 10 rounds.

1. s = SBOX(s).2. s = shift_row(s).3. s = mix_col(s) [if not the last round]4. s = s xor Ki.

4. Return s.

• The S BOX simply maps the input to an output according to a predetermined mapping.

• The shift_row() does the following. Regard the 16-byte s as a 4 by 4 matrix.

s0 s4 s8 s12s1 s5 s9 s13s2 s6 s10 s14 s3 s7 s11 s15

s0 s1 s2 s3s5 s9 s13 s1S10 s14 s2 s6 s15 s3 s7 s11

• The mix_col does the following. ai is4 bytes. 02 02 01 0101 02 03 0101 02 02 03 03 01 01 02

a0a1a2a3

=

a0a1a2a3

The Integer Counter Mode

• Skype does not encrypt the messages directly in this way.

• It xores the plaintext (message) with the output of AES when taking a counter as input.

• Just to run faster.

Problem solved?

• So, is the problem solved?• No. How about the key? How can two Skype

ends agree on the same key?• Can one end send the key to the other end in

plaintext?

The public/private key.

• Everyone has a public key and private key. • With B’s public key (pkB) A can encode data

that only B can decode with his private key (skB) because other people does not have B’s private key.

• D_skB[E_pkB(W)] = W • E_pkB[D_skB(W)] = W

The public/private key

• So, A can choose a 128-bit string W as the session key and send E_pkB(W) to B. B runs the decryption algorithm to get D_skB[E_pkB(W)] = W.

• Skype actually asks two ends to both contribute 128 bits to make the 256-bit session key.

The RSA algorithm

• The RSA algorithm is used to get the public key/private key.1. Choose two large primes, p and q.2. Compute n=pq and z=(p-1)(q-1).3. Choose a number relatively prime to z and call it

d.4. Find e such that ed = 1 mod z.

• (e,n) is the public key for encoding and (d,n) is the private key for decoding.

The RSA algorithm

• To encrypt a message M, C=M^e mod n.• To decrypt from C, M = C^d mod n.• You can verify (non-trivial!) that

D_skB[E_pkB(M)] = M and E_pkB[D_skB(M)] = M.

Why is RSA secure?

• The problem is, given (d,n), can you figure out e?

• It is difficult.• You can try to find p and q given n. If you

indeed can, then you get z. Given z and d, you get e.

• But it is difficult to factor large numbers.

Problem solved?

• If someone calls you and claimed that he is Bob, how can you be sure he is indeed Bob before saying things confidential?

• Imagine that someone impersonates your spouse and ask you to tell her/him your bank password with Skype chat.

Authentication

• If someone claims he is A, how do you verify?• He should present something to you which

you can check and which he can have if and only if he is A.

• We can all think of certain things for our real friends, but does such thing exist in the electronic world?

The solution

• Recall that everyone has a public key and a private key.• Suppose Alice and Bob knows each other’s public key.– If Alice wants to setup a session with Bob, she sends Bob a

message E_pkB[Alice, R_a], meaning that I am Alice and I want to talk to you, where R_a is a number picked at random.

– Bob replies E_pkA[R_a, R_b, K_s], where R_b is a number picked at random and K_s is the session key.

– Alice replies AES_K_s[R_b]. • (not exactly the same as Skype’s own protocol, but the

idea is the same)

Explanations

• Message 2. When Alice gets E_pkA[R_a, R_b, K_s], she can decrypt it and can get R_a, R_b, K_s. When she sees R_a, she knows that this is the response she is waiting for and the sender must be Bob. Why?

• Because no one except Bob knows how to decode E_pkB[Alice, R_a] to get R_a and R_a is totally random and it is impossible for one to guess it right.

Explainations

• Message 3. When Bob gets AES_K_s[R_b], he can use K_s to decode it to get R_b. Then he knows that this must be the message he is waiting for and the one who sent the first message must be Alice. Why?

• Because no one except Alice knows how to decode E_pkA[R_a, R_b, K_s] to get R_b and K_s to get AES_K_s[R_b].

Is problem solved?

• How can Alice and Bob know each other’s public key?

• Can Alice send a message to Bob to ask him to send her pkB?

• No. Tom may intercept this message and return Alice a message with his key or some junk.

Solution?

• Ask someone with authority, say, C.– Alice asks C “can you tell me the public key of

Bob?”– C replies “Here you are, pkB.”

• Will this work?• No. Because how can Alice be sure that this

message is from C and not from Tom?

Solution

• Because C is well-known, Alice remembers his public key.

• So when C sends Alice the reply, he “signs” it with his private key: D_skC(pkB, I am sending you the public key of Bob as you requested).

• When Alice gets this message, she knows that this must be from C and can be trusted.

Problems?

• If everyone must contact C before the session begins, can C still handle it?

• Note that the RSA algorithm involves multiplications of large numbers and is slow.

Solution• In fact, C does not have to answer the reply in real

time.• He can send Bob a “certificate” like: D_skC[I hereby

certificate that this key ############# belongs to Bob. Bob’s IP address is ****** and his email is @@@@.]

• Later, when Bob wants to prove he is indeed Bob, he can just present this to Alice.

• Actually, it is D_skC{SHA_1[I hereby certificate that this key ############# belongs to Bob. Bob’s IP address is ****** and his email is @@@@.]} and C is called Certificate Authority (CA).

Optimizations

• Still, signing all these certificates is too much for a single machine.

• There is PKI (Public Key Infrastructure) as a tree. You have a root, Regional Authorities, and CAs.

• A node certifies the nodes under it by signing.• Chain of trust.