Contents Skype and the Skype Overview .................. 4 Flux-Capacitor VoIP Introduction .................. 5 VoIP Signalling Protocols ............. 6 Dr. Ralf Schlatterbeck VoIP: Bunch of Firewall Problems ......... 7 Open Source Consulting Standards for Encrypted Telephony ....... 8 Security with Encrypted Telephony ........ 9 Excursus: Man in the Middle ........... 10 Email: offi[email protected] Existing Implementations ............. 11 Web: http://www.runtux.com Alternatives to Skype ............... 12 Tel. +43/650/621 40 17 History of Publications about Skype ....... 13 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 1 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 2 Contents Skype Overview Skype Security Considerations .......... 14 • „It just works“: no problems with firewalls Skype Network Obfuscation: Flux Capacitor . 16 • Skype makers known for Spyware-contaminated Excursus: CRC32 ................. 18 filesharing software (KazaA) Skype Network Obfuscation: Compression . 20 • built-in software-update function in Skype Skype and Cryptography ............. 21 • Doesn’t adhere to any standards – no third-party Skype Communication Security .......... 22 offers Debugging Skype ................. 23 • Closed source – Open Source Skype would be Skype Task-Force? ................. 24 nice and this may be within reach now Bibliography ..................... 25 → Whom to entrust with your phone calls? → Encryption: Who owns the keys??? © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 3 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 4 VoIP Introduction VoIP Signalling Protocols • Voice over Internet Protocol (and often also Video) • IAX: Inter Asterisk Exchange: use same path for • Distinction: call signalling and content (voice/video) signalling and content – firewall-friendly • Signalling Protocols e. g. SIP, H.323, . • SIP: Session Initiation Protocol • Content transmission e. g. RTP (Realtime Transfer • Jabber/Jingle (Google Talk) Protocol) • H.323: ITU-T Standard • Quality: Low latency, low Jitter, low packet loss • MGCP: Media Gateway Control Protocol • Open: Success of VoIP depends on standards: we • SCCP/Skinny (proprietary CISCO) want interconnection of different vendor solutions • UNISTIM (proprietary Nortel) • If signalling and content are sent via different path • Skype (proprietary): optionally one signalling path we may get problems with firewalls → „Asterisk is first PBX in history to natively support proprietary IP terminals from the two biggest players in VoIP“ [MSM05] © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 5 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 6 VoIP: Bunch of Firewall Problems Standards for Encrypted Telephony • SIP, Jingle, H.323 are signalling protocols • encryption option for IAX with pre-shared keys → only for call-management • VoIP can be routed via a VPN, e. g. OpenVPN • For Content: RTP (Realtime Transfer Protocol) • SRTP/SRTCP: needs a key management scheme RTP-Port is dynamically negotiated Master-Key: call parties need to agree on a key → Firewall (NAT!) problems • Phil Zimmermanns ZRTP: SRTP + Diffie-Hellman • Remedy (or workaround): NAT-Traversal protocols, → call parties need not know each other! or intelligent firewall → uses existing SIP infrastructure • For Linux/Netfilter: SIP+H.323 connection tracking → approved as informational RFC and NAT modules • IETF DTLS based on certificates for negotiating • or use IAX! SRTP key – will become Standards-Track RFC (!) © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 7 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 8 Security with Encrypted Telephony Excursus: Man in the Middle • Traffic Analysis: „Who with whom“ → nearly conforming to EU Data Retention :-) encrypt encrypt • IAX transmits session information in clear AE EB • Even when using a VPN we can determine that Alice Eve Bob there is VoIP-content due to packet frequencies • Eve – the woman in the middle – does and -sizes key exchange with Alice and Bob • SRTP without ZRTP, IAX or VPN: • There are two keys, AE und EB needs prior agreement of calling/called parties • But: Alice and Bob can compare key checksums • ZRTP MITM-Protection: call partners can read key- by reading them to each other over the phone hash to each other – hard to fake by man in the → Authentification via speech! middle © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 9 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 10 Existing Implementations Alternatives to Skype General: • SIP-Phones (Ekiga, Twinkle, Linphone) • IAX encryption: no personal experience • Chat: multiprotocol-client Pidgin • OpenVPN + Asterisk IAX (or SIP/RTP) works well • Chat + telephony: Google Talk (Jabber extension „Jingle“ for Voice/Video) ZRTP: • Open Source telephony: Asterisk: SIP,Jabber/Jingle, • SRTP/ZRTP not yet in Asterisk but ZFone can be and lots of other protocols . used • Encryption: Phil Zimmermann’s ZRTP + SRTP • Phil Zimmermanns ZFone as add-on to existing or IETF’s DTLS (certificate-based) + SRTP RTP-based software • GNU ccRTP supports ZRTP • GPL-Client Twinkle with ZRTP © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 11 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 12 History of Publications about Skype Skype Security Considerations • Biondi, Desclaux: Silver Needle in the Skype, Black- • Writeable text-segment: hat Europe 2006 [BD06] Decrypts itself when called • Desclaux, Kortchinsky: Vanilla Skype [DK06a, DK06b], • could load code over the network into memory Recon 2006 • when asking for updates Skype sends its Skype-ID • Biondi, Desclaux, Kortchinsky analyzed the net- → maybe this is used for sending you your own work obfuscation and compression algorithms of personalized (trojan?) update? Skype but didn’t publish their work • Skype can find out IPs of other Skype clients [BD06, • they called the network obfuscation function „Flux p. 61] – there is already a service announced to Capacitor“ discover Skype IPs by username • 2010-07-07 Sean O’Neil: → imagine the possibilities when coupled with Geo- Skype’s Biggest Secret Revealed location © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 13 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 14 Skype Security Considerations Skype Network Obfuscation: Flux Capacitor • Remote Scan: We can make another node connect • A big obfuscated function first described by to a specified IP-Adress – even in the network Desclaux/Kortchinsky: „it is not an improvement of perimeter (inside Firewall) of that host [BD06, p. 82] the flux capacitor“ [DK06a, p. 52] • Censor API for chat activated for chinese Skype • they even describe a method how to generate C- calls ContentFilter.exe – API present in all code from the binary [DK06a, p. 55–65] Skype versions [DK06b, p. 40] • obfuscation function takes a 32-bit seed • AP2AP protocol for communication of non-Skype and computes an RC-4 key applications via Skype [DK06b, p. 42] • the RC4-key is used to encrypt the UDP-packet or • Information Exfiltration (file transfer) TCP-stream • remote control • for TCP the seed is sent in clear as the first bytes ⇒ that’s why I chose not to use Skype of the stream © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 15 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 16 Skype Network Obfuscation: Flux Capacitor Excursus: CRC32 • for UDP the CRC32 of source-IP, dest-IP and per • Silver Needle suggests UDP uses CRC32 – there packet ID XOR an initialisation vector (IV) is used is example code from Vanilla which has a CRC32 as the seed • The well-known crc32 from Ethernet, ZIP,etc. uses • The packet ID and IV are in clear in every packet the same polynomial but a different finalisation: • . so everything is known about the RC-4 key def zlib_crc (s, seed = 0) : • It’s just an obfuscation layer, no real encryption state = seed ^ 0xFFFFFFFF because the key is known (security by obscurity) state = do_crc (s, state) • But the obfuscation is so “good” that it hasn’t been return state ^ 0xFFFFFFFF published until now • I’ve been able to verify this for TCP, and now also def skype_crc (s, seed = 0xFFFFFFFF) : for UDP return do_crc (s, seed) © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 17 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 18 Excursus: CRC32 Skype Network Obfuscation: Compression • zlib crc32 uses initial value 0, skype uses 0xFFFFFFFF • Before encryption Skype uses an undocumented → effect is the same internal state arithmetic compression algorithm [DK06b, p.7–8] ⇒ So we can use crc32 from zlib for skype crc: • Arithmetic compression close to Huffman but using def skype_crc (s, seed = 0xFFFFFFFF) : reals mask = 0xFFFFFFFF • Sean O’Neil promises to publish the compression, return (crc32 (s, seed ^ mask)) ^ mask too: “The compression algorithm required to • this implementation allows part-wise computation: complete the decoding of Skype packets will be x = skype_crc ('abcd') published in December this