[ISN] Skype's online phone calls may give wiretappers fits

InfoSec News isn at c4i.org
Mon Feb 20 02:07:11 EST 2006


By Peter Svensson
The Associated Press
February 17, 2006 

NEW YORK - Even as the U.S. government is embroiled in a debate over
the legality of wiretapping, the fastest-growing technology for
Internet calls appears to have the potential to make eavesdropping a
thing of the past.

Skype, the Internet calling service now owned by eBay, provides free
voice calls and instant messaging between users. Unlike other Internet
voice services, Skype calls are encrypted - encoded using complex
mathematical operations.

That apparently makes them impossible to snoop on, though the company
leaves the issue somewhat open to question.

Skype is certainly not the first application for encrypted
communications on the Internet. Secure e-mail and instant-messaging
programs have been available for years at little or no cost.

But to a large extent, Internet users haven't felt a need for privacy
that outweighed the effort needed to use encryption. In particular,
many consider e-mail programs such as Pretty Good Privacy too

And because such applications have had limited popularity, their mere
use can draw attention.

With Skype, however, criminals, terrorists and other people who really
want to keep their communications private are indistinguishable from
those who just want to call their mothers.

"Skype became popular not because it was secure, but because it was
easy to use," said Bruce Schneier, chief technology officer at
Counterpane Internet Security.

Luxembourg-based Skype was founded by the Swedish and Estonian
entrepreneurs who created the Kazaa file-sharing network, target of
several court actions by the music industry.

Skype's software for personal computers is free. Members pay nothing
to talk to each other over PCs, but pay fees to connect to people who
are using telephones.

Skype software is being built into cellphone-like portable devices
that will work within range of wireless Internet "hot spots."

While still somewhat marginal in the United States, Skype had 75
million registered users worldwide at the end of 2005. Typically, 3
million to 4 million users are online at the same time.

Skype calls whip around the Internet encrypted with "keys,"  
essentially very long numbers. Skype keys are 256 bits long - twice as
long as the 128-bit keys used to send credit-card numbers over the

The security is much more than doubled. In theory, Skype's 256-bit
keys would take trillions of times longer to crack than 128-bit keys,
which are themselves regarded as practically impossible to break by
current means.

"It is a pretty secure form of communication, which if you're talking
to your mistress you really appreciate, but if al-Qaida is talking
over Skype, you have probably a different view," said Monty Bannerman,
chief executive of Verso Technologies.

Bannerman's company makes equipment for Internet service providers,
including software that can identify and block Skype calls.

Security experts are not completely convinced Skype is as secure as it
seems, because the company hasn't made its technology open to review.

In the cryptographic world, opening software blueprints to outsiders
who can point out errors is considered the safest way to go.

Because of the complex math involved, a properly designed
cryptographic system can be unbreakable even if its method is known to

But according to Schneier, if Skype's encryption is weaker than
believed, it still would stymie the kind of broad eavesdropping the
National Security Agency is reputed to be performing, in which it
scans thousands or millions of calls at a time for certain phrases.

Even a weakly encrypted call would force an eavesdropper to spend
hours of computer time cracking it.

Kurt Sauer, Skype's chief security officer, said there are no "back
doors" that could let a government bypass the encryption on a call. At
the same time, he said Skype "cooperates fully with all lawful
requests from relevant authorities."

He would not give particulars on the type of support provided.

The Justice Department did not respond to questions about its views on
Skype encryption.

Verso's Bannerman notes Skype calls are decrypted if they enter the
traditional telephone network to communicate with regular phones, so a
conversation could be intercepted there. Skype does not reveal how
many of its calls run on the phone network.

"There are other ways of getting at the conversation than brute-force
decryption of the hacking," Bannerman said.

Schneier thinks eavesdropping on the content of calls is not as
important to the NSA as tracking the calls, which is still possible
with Skype. For instance, if one account was associated with a
terrorist, it would be possible to identify his conversation partners.

"What you and I are saying is much less important than the fact that
you and I are talking," Schneier says. "Against traffic analysis,
encryption is irrelevant."

Steve Bannerman, vice president of marketing at Narus, (he is
unrelated to Verso's Bannerman), said his company's systems enable
wiretapping of voice calls routed over the Internet, but not those
from Skype. Telecommunications carriers use Narus technology.

The most it can do is identify what type of Skype traffic - voice
call, text chat or video conference - is being used, and record the
scrambled data for law-enforcement officials. From there, he said,
"Who knows what those guys can do?"

Copyright © 2006 The Seattle Times Company

More information about the ISN mailing list