Shostack + Friends Blog Archive


Emergent Bits of Security: Analyzing Binaries, Code

3 comments on "Emergent Bits of Security: Analyzing Binaries, Code"

  • SteveC says:

    Shouldn’t that be ‘if you think your application is more secure because it’s using encrypted network protocols’? 🙂

  • All Baset & Schulzrinne’s paper really did was document the over-the-wire communications that take place between the Skype client and various servers, super-nodes, etc.
    A much more interesting analysis came from Simson Garfinkel who observed (among other points):
    “Skype claims that its system uses the RSA encryption algorithm for key exchange and 256-bit AES as its bulk encryption algorithm. However, Skype does not publish its key exchange algorithm or its over-the-wire protocol and, despite repeated requests, refused to explain the underlying design of its certificates, its authentication system, or its encryption implementation. Therefore it is impossible to validate the company’s claims regarding encryption. It is entirely possible that the data is both encrypted and not secure.
    (emphasis mine)
    Also, many significant pieces of Skype’s traffic are not encrypted. This could lead to exposure of information about who’s being called, directory lookups, etc. The voice may be encrypted (regardless of how effectively) but many other, almost-as-significant pieces of the call set-up are not adequately protected.

  • Phones says:

    Emergent Bits of Security: Analyzing Binaries, Code

    Good piece on Skype and security:…

Comments are closed.