[e-privacy] [smb at cs.columbia.edu: Phil Zimmerman and voice encryption; a Skype problem?]

Anonymous nobody at remailer.paranoici.org
Mon May 22 23:05:04 CEST 2006 

----- Forwarded message from "Steven M. Bellovin" <smb at cs.columbia.edu> -----

Date: Mon, 22 May 2006 10:19:05 -0400
From: "Steven M. Bellovin" <smb at cs.columbia.edu>
To: cryptography at metzdowd.com
Subject: Phil Zimmerman and voice encryption; a Skype problem?
Organization: Columbia University
X-Spam-Score: -1.665

There's an article in today's NY Times (for subscribers, it's at
http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1&oref=slogin )
on whether Phil Zimmerman's Zfone -- an encrypted VoIP package -- will
invite government scrutiny.  There doesn't seem to be any imminent threat
in the U.S.; the one concrete example mentioned -- the British plan to
give police the power to compel individuals to disclose keys -- doesn't
threaten Zfone, because it uses Diffie-Hellman for (among other things)
perfect forward secrecy and doesn't even have any long-term keys.  (See
draft-zimmermann-avt-zrtp-01.txt for protocol details.)

The fascinating thing, though, was this sentence near the end of the
article:

	But at a conference last week in Cyprus, German officials said
	they had technology for intercepting and decrypting Skype phone
	calls, according to Anthony M. Rutkowski, vice president for
	regulatory affairs and standards for VeriSign, a company that
	offers security for Internet and phone operations.

The Berson report says that Skype uses AES-256.  NSA rates that as
suitable for Top Secret traffic, so it's presumably not the cipher.
Berson analyzed a number of other possible attack scenarios; the only one
that seems to be possible is an active attack plus forged certificates.
If Berson's analysis was correct -- and we all know how hard it is to
verify cryptographic protocols -- that leaves open the possibility of a
protocol change that implemented some sort of Clipper-like functionality.
A silent change like that would be *very* ominous.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

----- End forwarded message -----

More information about the E-privacy mailing list