[liberationtech] NYT report on Obama admin's wiretap plans
Daniel Colascione
dan.colascione at gmail.com
Mon Sep 27 16:45:26 PDT 2010
Hi, Jurre. Welcome.
On 9/27/10 3:21 PM, Jurre van Bergen wrote:
> Hi, this would be my first post on this list.
>
> Someone back in July claimed to have broken the Skype protocol, he
> didn't release full details yet, but is planning to show how to do it at
> the next CCC congress in Berlin (27c3 this year).
Interesting break. Thanks for the link --- it'll be good to see
alternative Skype clients spring up. I wonder whether Skype's infamous
RC4 stream reuse led to this break.
Bear in mind, though, that this break doesn't seem to affect the
integrity of Skype calls themselves. From enrupt.com:
"7. Our publication does not affect privacy of Skype calls, messages or
file transfers. They are still encrypted with AES with 256-bit secret
keys negotiated using 1024-bit RSA algorithm authenticated with a
2048-bit RSA key of the Skype server. It is all quite secure. Do not panic."
Assuming all of that is implemented properly and the communicating
parties still establish a shared secret, passive attacks still won't
work, and even an active attack would be somewhere between extremely
difficult and fiendishly difficult (it seems Mallory would at least need
the login server's private signing key). It'd be interesting if I were
wrong on the last point.
Regards,
Daniel Colascione
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100927/87dc0c5b/attachment.asc>
More information about the liberationtech
mailing list