[liberationtech] NYT report on Obama admin's wiretap plans

Mon Sep 27 22:28:08 PDT 2010

On Sep 27, 2010, at 4:45 PM, Daniel Colascione wrote:

> Hi, Jurre. Welcome.
> 
> On 9/27/10 3:21 PM, Jurre van Bergen wrote:
>> Hi, this would be my first post on this list.
>> 
>> Someone back in July claimed to have broken the Skype protocol, he
>> didn't release full details yet, but is planning to show how to do it at
>> the next CCC congress in Berlin (27c3 this year).
> 
> Interesting break. Thanks for the link --- it'll be good to see
> alternative Skype clients spring up. I wonder whether Skype's infamous
> RC4 stream reuse led to this break.
> 
> Bear in mind, though, that this break doesn't seem to affect the
> integrity of Skype calls themselves. From enrupt.com:
> 
> "7. Our publication does not affect privacy of Skype calls, messages or
> file transfers. They are still encrypted with AES with 256-bit secret
> keys negotiated using 1024-bit RSA algorithm authenticated with a
> 2048-bit RSA key of the Skype server. It is all quite secure. Do not panic."
> 
> Assuming all of that is implemented properly and the communicating
> parties still establish a shared secret, passive attacks still won't
> work, and even an active attack would be somewhere between extremely
> difficult and fiendishly difficult (it seems Mallory would at least need
> the login server's private signing key). It'd be interesting if I were
> wrong on the last point.

The question is: are we talking about a lawful intercept process (in which there is a small number of targets, and the request is served to Skype through a set legal procedure), or are we talking about an ability to intercept Skype-to-Skype traffic on an ad hoc, undetectable, widespread, potentially mass-surveillance basis?

The NSA and various security services across the world would like the latter, but don't have much in the way of legal instruments to encourage Skype to do anything about it. And Skype certainly doesn't have any incentive to comply, because it would involve breaking the security of their over-the-wire protocol and would potentially expose them to liability. I haven't yet seen a model that would provide this kind of mass surveillance of Skype, and the endless bitching about Skype by unnamed sources makes me think that their service is still unavailable for this form of monitoring.

Lawful intercept, OTOH, doesn't need such a major system-wide compromise, it just needs the co-operation of Skype for a few specific targets, and a system that enables Skype to enable the selective tapping its own customers on such a per-person basis.

The models I've heard kicked around that would allow targetted Skype interception of audio are e a) weak keys signed by Skype allowing a MITM attack, b) targetted fake client updates by Skype or c) non-Skype malware (ie just run of the mill keyloggers).

All of these are hard, and require either Skype or a state or both to invest time and money co-operating to build an interception system.  With a) you need Skype's close co-operation for key handling, *and* access to on the fly data potentially across diverse networks, *and* knowledge of the Skype protocol. With b) you need Skype's co-operation (whether China got it voluntarily or tricked the company with TOM-Skype is an open question). With c) You don't need Skype, except maybe to give you IPs if you don't know your target, possibly in real-time, of logins (Skype says it can't provide this, though from what we know of the protocol, I can't see why not). All are detectable - a) probably less so than b) or c).

Lawful interception requirements in my experience start with a debate about whether they're possible at all, a debate that can go on for years. As soon as it's determined that it *is* possible,  the question devolves quickly into who exactly is going to pay, and how much time will the company involved have to waste co-operating. The ideal for companies is just a black box that sits somewhere (preferably not on their premises) and does the interception without them having to worry about it. The worst of all worlds is some government demanding they build the entire interception infrastucture and then not paying them a sous for it.*

Finally, note that not all of this applies to Skype text IM. With Skype IM, you just need to crack the password (or get Skype to authenticate you as a particular user), and both sides of all IM conversations get echoed to you without other parallel logins being informed -- a perfect text tapping infrastructure. Not sure about hiding your online status though. Actually, I don't even know how the Skype audio client copes with two identical users logged in. Rings them both, and then directs the stream to whoever picks up, I imagine. Time to experiment!

* - Well, actually the worst is a government demanding you build the interception infrastructure for free when you've already told them its impossible (see RIM and BES).