Skype software code. "Dangerous" Skype. Random number generation

Description

Skype URL protocol: allows you to create paired calls (that is, one-on-one calls), as well as conference calls, video calls and chats.

Note

By default, local Skype displays a call confirmation dialog before making a call. This dialog box also has the ability to disable its display in the future when making a call.

Terms of Use

If the list of interlocutors specified (using telephone numbers or Skype logins) is more than one, then the numbers or names of Skype accounts (logins) are separated by a semicolon (for example, interlocutor1;interlocutor2;...;interlocutorN).

Browser support

Article

URL components

Audio and video calls

Audio calls are divided into obvious And not explicit. Not explicit audio calls imply that only the list of interlocutors is indicated in the protocol.

skype:interlocutor1;interlocutor2;...;interlocutorN.

Explicit audio calls imply specifying in the “skype:” protocol not only the list of participants, but also the “call” argument.

Call Indicates an explicit audio call. In this case, it is also possible to set additional arguments, such as the video argument and the topic argument:

• topic‒ allows you to specify a line with the subject of the conversation for a conference call, which will be displayed to all conference participants. It is important to remember that the topic specified in this way is part of the URL, so the topic name string must meet the URL criteria, that is, some special characters must be escaped. For example, a space is replaced with the characters "%20". Otherwise, if the spaces are not replaced with the appropriate characters, the handler will accept the characters before the first space as the topic name, and the characters after the space will be interpreted as additional arguments that may be ignored or misunderstood.

  skype:interlocutor1;+1234567890;...;interlocutorN?call&topic=Line%20topic

  In order to specifically indicate an audio call without video, you must set the “video” argument with the value “false” (video=false).

• video‒ Video call argument. When making a call between Skype users, video exchange (if technically possible) between the interlocutors is automatically enabled. When specifying several participants, a group video call is performed. However, the number of participants in a video conversation is limited to ten, with a recommended number of no more than five to ensure the best call quality.

  skype:interlocutor1;+1234567890;...;interlocutorN?call&video=true

  Note: Participants using mobile devices can join a group video call only via voice communication.

Chats

Creates paired dialogues and group chats.

If a conversation is carried out with a participant or participants with whom there are already conversations in the history, then the Skype application opens an existing conversation, and if such a conversation does not exist in the Skype history, then a new conversation is created. If at the same time an existing conversation is opened (having a specific topic) and the topic is also specified using the “topic” argument, then the Skype application changes the topic of the conversation to a new value.

• topic‒ Chat topic argument. Special characters in the argument subject value (for example, spaces), as in the case of audio calls, must be escaped.

  skype:interlocutor1;+1234567890;...;interlocutorN?chat&topic=Line%20topic

Skype is a program that encrypts voice speech through Internet Protocol (IP) multimedia sessions and provides (paid) call services to landline or mobile phones. The software was developed by Technologies S.A.

This program promotes the distribution of voice calls through the Internet, rather than through a special-purpose network. Skype users can find friends and acquaintances through the system in order to subsequently exchange text and voice messages with them.

The program uses 256-bit AES encryption to encrypt data transferred between users. At the same time, Skype developers are constantly complicating the system for decrypting user messages, although when calling landline (mobile) numbers, part of the call via PSTN (public switched telephone networks) is not encrypted.

Skype protocol encryption was considered strong enough to enable anonymous communication, but only until 2011, when the service was sold to Microsoft. As a result, the new owner changed the privacy policy, allowing Skype to be intercepted and provide access to personal data and user conversations to various intelligence services of countries.

Security policy

The program security policy includes:

• Unique usernames.
• Callers must enter a username and password (some other code) to verify their identity.
• Any caller is required to provide some proof of identity at each session. At the same time, each user independently decides whether to add the caller as a friend or not.
• Messages sent to users are pre-encrypted. The intermediate node (router) does not have access rights to the contents of these messages. Although, in 2013, Microsoft began pinging users' unique URLs, which indicates the possibility of wiretapping Skype.

Registration

Skype stores registration information both on the user's computer and on the program server. This information is necessary for subscriber authentication and user authentication. Note that the software has open RSA encryption.

The RSA system is one of the first public key cryptosystems. Widely used to ensure secure data transmission. In such a cryptosystem, the encryption key is public, and the decryption key is kept secret. In RSA, this asymmetry is based on the practical difficulties of obtaining factored products of 2 large primes.

The Skype server has its own secret key, which it distributes to users with each copy of the software. During the registration period, the user independently selects the desired login and password. At the same time, the Skype program in local mode generates public and private (secret) keys. The private key and password hash are stored on the user's computer.

When 256-bit AES encryption establishes a connection with the Skype server, the program automatically creates a session key using a random number generator. Then, when confirming the uniqueness of the username, the Skype server generates and signs a specific certificate that verifies the identity (username). As a result, the server associates the subscriber's name with the already verified key and key identifier.

Nuances of calls

For each call, Skype creates a session with a 256-bit key. This session exists not only while communication between subscribers continues, but also after the end of the conversation, for a fixed time. When a call is connected, the program securely transmits the session key to 2 or more call recipients. This key is used to encrypt messages in both directions.

Session cryptography

All traffic in the session is encrypted using the AES algorithm, which operates in Integer Counter Mode (ICM). Skype encrypts the current counter and session key (using 256-bit AES). In turn, this action returns the stream key containing the message contents, which is then XORed. As a result, user messages are encrypted and transmitted to the recipient(s).

Note that Skype sessions contain multiple threads. At the same time, the ICM counter depends not only on the flow, but also on its location in the flow.

Random number generation

Skype uses random numbers for several cryptographic purposes, such as:

• Generating RSA key pairs.
• Protection against replay attacks.
• Creation of AES key halves for content encryption.

The security of an orthogonal (P2P) Skype session depends on the quality of the random numbers generated. At the same time, the generation of random numbers, and, consequently, the possibility of wiretapping Skype, varies depending on the users’ operating system.

Cryptographic systems

Skype uses industry standard cryptography systems to achieve its security goals. The program uses:

• The Advanced Encryption Standard (AES), which is a specification for encrypting electronic data established by the National Institute of Standards and Technology (NIST) in 2001.
• RSA standards.
• ISO 9796-2 systems.
• SHA-1 functions (hash functions) developed by the US National Security Agency. The functions are part of the federal information processing standards.
• The RC4 cipher, which is used in popular protocols such as: Transport Layer Security (TLS) - to protect Internet traffic; WEP - for protecting wireless networks.

Negotiation protocol key

The negotiation key is created when using a system-wide, symmetric protocol. To protect against eavesdropping, Skype uses random 64-bit time slots to call users' peers. As a result, the challenge is set up and the signatures of the opponents' private keys are returned.

At the same time, the exchange nodes confirm the user’s identity (name) and verify the validity of the certificates. Because credentials contain public keys, each end of the key must verify the opponent's signature. At the same time, any user makes some contribution to the creation of a 128-bit random code (encrypted username), which is part of the main 256-bit session code.

Automatic update

Automatic updating can be called one of the main risks for wiretapping Skype. This is especially true for versions prior to 5.6 created for Windows or Mac OS. Please note that the update can only be disabled in versions from 5.9 and then only in some cases.

Skype wiretapping

Chinese, Russian and American law enforcement agencies have the ability to listen to Skype conversations. In addition, they have access to users’ personal information, as well as their location. This feature was deliberately added by Microsoft after acquiring the software in 2011. Skype wiretapping is implemented by switching users from client encryption systems to server encryption. This nuance allows the distribution of unencrypted data streams.

This principle was also used in spyware like VoiceSpy, which currently allows you to track users’ personal information and their messages (including speech).

Major security flaws

While Skype encrypts user sessions, other traffic, including call initiation, can be monitored using spyware. Two more dangers lurk in the user's computer systems themselves and in Internet traffic.

In November 2005, a couple of flaws were discovered and corrected. Although these shortcomings allowed hackers to launch some malicious code into the system:

1. The first error only affected Microsoft Windows systems. As a result, attackers were able to exploit clipboard overflows and cause the system to either completely crash or perform arbitrary tasks. At the same time, the attackers ensured the formation of incorrect URLs using the Skype URI format for subsequent infection of program users.
2. The second security bug affected all platforms of the system. They were used to overflow dynamic memory and, as a result, made the users' computer system vulnerable to any external attacks.

On November 13, 2012, a Russian user published a description of another flaw in Skype security, allowing any unprofessional attacker to hack the accounts of messenger users, knowing only their email and using 7 simple steps. This vulnerability existed for several more months until the developers were able to fix it.

Note that by default, Skype automatically records all call data (but not their content) in the “History”, which is saved on the user’s computer. At the same time, attackers who managed to gain access to the user’s computer system can read this file.

Skype can consume users' Internet bandwidth. Although this fact is described in the license agreement (EULA), the volumes of use of this type of traffic are not specified anywhere.

There are about 20 thousand supernodes (so-called supernodes) in the program, which carry controlled traffic up to 10 Kb/s. The rest of the user data traffic is distributed at a speed of 15 Kbps (data is based on one conference audio file). Such nodes typically do not process more than one relay connection.

Skype's file transfer feature does not integrate with antivirus products. Although at the same time, the program developers claim that the software product was tested on Shield antivirus.

The software system does not document all communication events. This point suggests that system administrators cannot say exactly what the program is doing at a given time. In addition, Skype can be easily blocked using firewalls.

The program reduces network throughput even when idle (not only for supernodes, but also for NAT traversal). For example, if there were only 3 users in the world using Skype, 2 of them would communicate, and the third would still waste Internet traffic, even if he is not using the program at a given time. At the same time, a large number of users can lead to problems with the performance of the user's computer system in standby mode and, as a result, allows the security system to be compromised.

The system unconditionally transmits any flow of messages, obeying only protocols. Also, the program does not prohibit the introduction of parallel sessions.

Lack of peer review prohibits external verification of the security code.

Skype before version 3.0.0.216 created a file called 1.com in a temporary directory that read all BIOS data. The program developers claimed that this was necessary to identify computers and ensure DRM plug-in protection. They later removed this file, but it is not yet known whether the BIOS reading was removed.

The URI handler, which checks the URLs of specific files, uses topic-sensitive comparison techniques. At the same time, without checking all possible file formats.

While the messenger encrypts most messages, packets containing advertisements remain unencrypted, confirming a cross-site vulnerability. These advertisements can be easily intercepted and replaced with malicious data.

Privacy on Skype may be limited. Although the program encrypts messages between users, a Skype spokesperson does not deny the possibility of intercepting this information. When asked whether the program can eavesdrop on the communications of its users, Sauer K., head of the system’s security department, answered very evasively: “We ensure the security of communications, and I am not obliged to discuss whether we are eavesdropping on our users or not?” This suggests that Skype has the ability to eavesdrop on users.

Security experts Biondi and Desclaux believe that the messenger may have some kind of back door through which the program sends users' personal information. This is confirmed by the presence of hiding the functioning and traffic of the program and the fact that Internet traffic can be sent even when the program is not activated.

Several media sources reported that at a meeting on "legal interception of IP-based services" that took place on June 25, 2008, senior but unnamed officials of the Austrian Ministry of the Interior reported that they could listen to Skype conversations without much problem. The Austrian Broadcasting Society, citing the minutes of the meeting, reported that "Austrian police are able to listen to Skype conversations." The program developers refused to comment on this information.

Mac OS software clients can access secure Address Book information even if Address Book integration (by default) is disabled in Settings. However, users may see a Skype.app warning when attempting to access protected address book information under certain conditions. For example, when launching a program while it is synchronizing with a mobile device. Please note that Skype has no legal basis for accessing your address book unless integration is enabled. In addition, a degree of integration such as adding all contact numbers in an address book to a Skype list along with their phone numbers can be done without having access to any protected information (name, numbers, additional data). Thus, attempting to access information is outside the scope of the integration, regardless of whether the permission is enabled in the settings or not.

Other materials:

Modern instant messengers have become a part of our lives. Instant messaging programs help us at work, in our personal lives, and when communicating with children. Let's consider another way to use messengers to record them for subsequent processing and analysis of the activities of enterprise employees, children or spouses.

Skype technologies are the property of the telecommunications company Microsoft, whose headquarters are located in Luxembourg. The program software is licensed. Skype delivers voice over IP (VoIP). Software for the first time...

Unlike communication of telephone network channels, IP telephony is less reliable, because it does not guarantee the operation of network mechanisms. Those. During system operation, data packets may simply get lost or be transmitted to the end user in the wrong sequence.

Communication via Skype is popular in business circles. It is indispensable for holding conferences and meetings when it is not possible to attend in person. In any case, having the skill of such communication will only be a plus for you.

The consequences of the introduction of technology for legal wiretapping of conversations by state intelligence agencies to Skype for various segments of society are described.

The Skype recording program did an excellent job of creating a clip of the alumni meeting in a Skype conference.

Currently, more and more contacts on the Internet are conducted via Skype. In order to accurately and efficiently record Skype conversations, we need a special program. The Skype recording program, VoiceSpy, is perfect for these purposes.

Will Skype be monitored by the FSB and other intelligence agencies? For now, Skype remains a “black box” for everyone, inaccessible to interception outside the computer.

Today, everyone knows that the popular Skype program has gained fame all over the world. Using Skype, we can correspond with relatives, friends, work colleagues, make free or paid calls around the world, practice foreign languages, transfer files, conduct video conferences, make conference calls, and play.

We can talk about the benefits of Skype for a long time. Just a few hours ago, it became known that the Skype source code had been hacked. The hacked code was posted publicly on the file-sharing resource Depositfiles and the world-famous torrent tracker The Pirate Bay and posted links to the code on its blog. According to RIA Novosti, the person who hacked the source code of the VoIP telephony leader Skype is an independent developer Efim Bushmanov. It is reported that Mr. Bushmanov made a statement from which it is clear that he has the source code of the popular IP telephony service Skype and the data encryption mechanism built into the program, and posted this data on the Internet. Efim Bushmanov also calls himself a “freelance researcher.” He explained the purpose of his action with the desire to make Skype specialized open source software.

With this, according to the “freelancer,” everyone was able to download Skype, program and customize the client to suit their consumer goals and needs. It is alleged that an experienced hacker was able to obtain sensitive information about the Skype protocol, including information about the encryption mechanisms that are used in the program, using so-called “reverse engineering” methods (studying the code of a program in order to find out how it works).

Skype management states that unauthorized use of the service code amounts to a violation of the company's intellectual property rights. Skype spokesperson: "We will take all necessary measures to stop these nefarious attempts to undermine Skype." It is assumed that Efim Bushmanov is a pseudonym and experts believe that he lives in the Russian Federation or is a native of Russia. Let's remember that at the beginning of last month Skype was acquired by Microsoft for $8.5 billion.

Comments and reviews

Not long ago we conducted detailed testing of the IBOX Combo F5+ (PLUS) Signature DVR. Studying...

Agree, it is hardly possible to imagine a modern person without some kind of mobile device. The most...

Modern casual mobile games have lost all their uniqueness and interestingness - the developers...

Quite often, monitors come onto the market that are designed specifically for gamers who value image quality...

Not long ago, sales of a new series of Thermaltake power supplies with quiet and backlit fans started...

Yesterday we released the first alternative client for the popular Internet communication program - Skype. Unlike previous applications, this is not a shell for the web version, but a full implementation of the interaction protocol.

The client code is written in C using Net Framework 4 and is distributed free of charge under the GPL license. The author spent several years studying the protocol and reverse engineering. At the moment, Skype protocol version 5.5 is implemented and only text messages work.

The program is currently designed to work on Windows, but given its free license, you can expect that a version for Linux will soon appear. In the meantime, the program can be run and tested in Wine, but for this you must have Net Framework 4 installed.

First, after launch, we see a window for entering login and password:

To send messages, first select a contact by double-clicking, then click the Refresh VCard button to get information about it.

Then you can type and send messages. To download correspondence history, click Resv MSG. In the future, we plan to remove these buttons and make these actions automatic. The program is not very stable yet, but you can see that the main functionality works.

You can download the source and executable files of the program at.

Related posts:

Simson L. Garfinkel

Introduction: Voice over IP and Skype

Due to the increasing rate of use of high-speed Internet access, an increasing number of companies and private users are beginning to use the Internet as a means of making phone calls. This technology is called Voice over Internet Protocol (VoIP).

All telephone systems in the world use a microphone to convert sound waves into electrical waves, and a loudspeaker to convert electrical signals back into sound waves at the other end of the line. But this technology, used to link the microphone and loudspeaker, has improved significantly over the past 125 years. Earlier systems connected the microphone directly to the loudspeaker via copper wire. In the 1970s, AT&T used the first systems that could send multiple phone calls over a single wire, converting each phone call into a stream of digital data. VoIP systems continued this evolution by taking independent digital data, compressing it, breaking the streams into data packets, and sending those packets over the Internet. Naturally, upon receipt this process went in the opposite direction.

With a VoIP system, two people can talk to each other using headphones and microphones connected to their computers. Alternatively, a VoIP adapter can be used to translate audio signals from standard analog phones into Internet packets. VoIP gateways connect Internet systems to public switched telephone networks (PSTN). As a rule, the use of these gateways is paid. Companies like Vonage sell customers a package that includes a VoIP adapter and the ability to use that company's VoIP gateway, giving Vonage customers the illusion of using a regular phone, with the only difference being that they have to connect the Vonage adapter to their cable modem or home phone. network, rather than to a pair of wires going to the telephone company's central office.

There are many different, generally incompatible technologies for sending voice over the Internet. The International Telecommunications Union H.225 standard provides voice and video teleconferencing; The Internet Engineering Task Force (IETF) uses an incompatible system called Session Initiation Protocol (SIP). Cisco has developed a patented system called Skinny Client Control Protocol (SCCP).

Skype is a patented VoIP system that was developed by Skype Technologies S.A., a corporation registered in Luxembourg. This company was founded by Janus Friis and Niklas Zennstrom, the same entrepreneurs who developed the popular file sharing system KaZaA. Like KaZaA, Skype is based on peer-to-peer LAN technology, instead of passing all calls through a central server, as Vonage does, the Skype client searches and finds other Skype clients, it then builds a network from these connections that can be used to find other users and send them messages. But unlike KaZaA, which derives its revenue from advertising, Skype is currently free of add-ons and spyware. Instead, Skype generates revenue by charging users to use the terminal gateways that connect the Skype network to the public telephone network.

Skype compared to other VoIP systems

Skype differs from other VoIP systems in several key ways:

Skype is quite popular. During the first week of operation in August 2003, more than 60 thousand people downloaded the Skype client. Today Skype is available for the following operating systems: MS Windows, MacOS, PocketPC and Linux. In October 2004, the creators of Skype announced that their program was already used by more than a million people.

Using the Skype software and network is free; There are only nominal prices for calls made using the Skype Out and SkypeIn features, which allow calls to be made from Skype to the public telephone network.
Skype is much easier to use than any other VoIP system.

The Skype client is quite easy to install. Other than selecting a username, no other configuration is required. And unlike the SIP system used by Vonage, Skype clients work seamlessly behind firewalls and Network Address Translation (NAT) systems.

In addition to voice telephony, Skype supports instant messaging, search and file transfer.
Skype uses encryption. Unlike traditional telephone communications and other VoIP systems, Skype states that the transmission of all information is encrypted using 128-bit or higher cryptographic codes, which, according to them, makes it almost impossible to passively intercept Skype conversations, and the ability to decipher and hear their content.

Skype versus ISDN

ISDN is another type of digital telephone system that is popular in Europe and Asia. ISDN is similar to VoIP in that audio is digitized and sent over the network, and that ISDN phone lines require special equipment to be used.

1. While Skype uses the Internet, ISDN uses regular telephone lines.
2. While Skype is encrypted, ISDN phone calls are generally not encrypted unless specially encrypted ISDN phones or faxes are used. (Such equipment exists, but is available in limited quantities.)
3. While Skype is a free program, it is quite rare to find free ISDN phone calls.
4. Skype does not support video conferencing, while this feature is present in many ISDN systems and in Apple's iChat program.

Overall, Skype seems to be extremely useful for individuals and organizations that need high-quality voice communications and have access to broadband Internet.

Skype program in comparison with other peer-to-peer systems

Although Skype uses peer-to-peer communication to locate other Skype users and forward voice messages, there are many ways in which Skype differs from other "pure" peer-to-peer systems:

1. Skype relies on a central identity server to identify users and distribute software.
2. Some Skype nodes have the status of special nodes, so-called "supernodes".
3. When Skype runs on a computer that has a public IP address and is not behind a firewall, it itself becomes a “supernode.” These computers are used as rendezvous points so that computers behind firewalls can communicate with other Skype users. Although Skype refuses to explain the details of its protocol, it is likely that computers behind firewalls scan the Internet for supernodes, then form and maintain long-term connections with those other computers. Supernodes then become authorized points for communication with points that are behind firewalls and with which communication is complicated.

When using the SkypeIn or SkypeOut functions, all information necessarily passes through Skype servers, which are located in different countries and dialing areas.

Skype program in comparison with KaZaA KaZaA

is a popular file sharing program. Although the sharing of some files through this program occurs with the consent of the copyright owners, it nevertheless appears that the main use of KaZaA is the illegal exchange of unlicensed copies of music and film files.

Two versions of the KaZaA program are distributed. The free version is supported by advertising, while the paid version, which costs about $25, is ad-free. Advertising free versions of KaZaA are placed there using software developed by GAIN. This kind of software is often called "spyware" because it crawls the websites that users visit and places advertisements there accordingly. KaZaA questions the claim that GAIN is spyware: they claim that the program cannot capture keystrokes, analyze files on the hard drive, or communicate user information to third parties. Moreover, this software can be easily removed using the standard Windows Add/Remove function.

It is unlikely that the GAIN program can in any way influence the confidentiality or reliability of telephone calls made by Skype users to users of the KaZaA 3.0 program; There is no effective way to analyze the content of conversations for targeted advertising without having to listen to the conversations by humans, but the costs of such monitoring would be prohibitive compared to the potential advertising revenue.

However, Civil Society organizations should try to avoid using a program like KaZaA. Since KaZaA is used primarily for file sharing, against the wishes of copyright owners, it is highly likely that KaZaA users will store illegal copies of music and movies on their computers. Organizations are not advised to store such files on their computers because possession of such a counterfeit collection may result in legal liability.

Using Skype when connecting using the Dial-Up method

The use of Skype was tested under the conditions of Dial-Up dialing to an Internet provider when connected via an analog telephone line at a speed of 26 Kbps. The sound quality at this speed degrades significantly.

In order to use dial-up telephone lines, it is advisable to unload all programs that also use the Internet. For example, all Internet browsers and email programs must be turned off. Skype will also work better if callers avoid talking at the same time, as this minimizes bandwidth requirements.

Using Skype in this manner on low-speed dial-up lines, Skype produces sound quality that is noticeably inferior to analog telephone lines.

However, the advantage of Skype is its low cost and the security that results from the use of encryption. In situations where international calls are prohibitively expensive, or where government or telecommunications interception of calls is a cause for concern, the use of Skype should be encouraged.

Skype reliability

Is Skype reliable? Is it safe to use? Is a call made on Skype much more secure than an analogue or ISDN phone call? How reliable is Skype compared to other VoIP systems?

Answering these questions is not so easy. Reliability is a very abstract thing that is difficult to analyze in isolation: to evaluate the reliability of Skype, you need to consider certain types of threats and then decide whether the way the program works is able to withstand these threats?

The following distinctive features of system reliability are of key importance for an organization working in the field of Civil Society and using the Skype program:

Confidentiality	Does Skype allow others to eavesdrop on conversations?
Identification	If you called another user for a conversation on Skype, are you sure that you reached the exact user whose name you used when dialing?
Availability	Does Skype always work if both users have access to the Internet, or are there cases when you do not see the user even if you both have downloaded this program? Can the current conversation be interrupted?
fault tolerance	If Skype's network or infrastructure is disrupted or damaged in any way, can Skype users still communicate while the network is damaged?
Sustainability	If Skype's network or infrastructure is disrupted or damaged such that Skype can no longer function, can Skype users quickly reconnect with each other?
Integrity (of conversation)	Are some conversations lost when sending them via Skype? Do the transferred files arrive undamaged?
Compatibility	How can using Skype affect the use of other applications on a user's computer or network? Other programs that use peer-to-peer access come with spyware modules; what about Skype?

To answer these questions, I corresponded with Kat James, who is Skype's US PR and media representative, Toivo Annus, Skype developer Kelly Larabee, and another press executive. Skype attache. I also spoke briefly with Kelly Larabee on the phone about this issue.

In addition, I conducted a preliminary analysis of Skype call packets transmitted over the network, recording all information packets before and after Skype calls that come and go from the computer on which the Skype software is used.

Confidentiality

The reliability of information that is sent encrypted or compressed depends on many factors, including the use of special encryption and compression algorithms, how the encryption keys are chosen and how those keys are exchanged (known as key management), the execution of those algorithms, and the protocol that uses those algorithms. , as well as the execution of these algorithms and protocols in this software.

Analysis of information packets sent between Skype users shows that a combination of these protocols is used to register on the network, search for other users and make phone calls. It appears that the program uses the HTTP version of the protocol to communicate with the Skype server ui.skype.com (which is apparently located in Amsterdam) in order to authenticate users and passwords and register directly with the Skype server. A modified version of the HTTP protocol is used to transfer information to other Skype clients. As a result, the encrypted protocol is used to transfer voice and text messages, as well as files.

Using Skype on a Macintosh computer, I made a call from Boston, Massachusetts, USA to Budapest, Hungary, during which I exchanged instant messages and also sent a file. All information packages were recorded by me. After analyzing them, I found that my Skype client in Boston first contacted a computer in the UK, apparently to check that I was using the latest version of the Skype client, and then search the Skype network to find the right one me the respondent.

(The technology Skype uses for search and directory management is similar to that used by a system called PeerEnabler from Joltid, "whose original leaders and developers come from KaZaA and the FastTrack peer-to-peer network." Skype Press Officer insist that Skype does not use either the PeerEnabler or FastTrack network, but another program with similar characteristics.)

After the search was completed, a series of information packets were exchanged with a computer in Hungary, which continued throughout the conversation. All these packets were beyond my ability to decrypt. Perhaps because they were encoded or compressed with an undocumented compression system.

Based on the analysis of the captured information packets, I can conclude that while the current exchange of information between Skype clients can be encrypted, searches on behalf of Skype users, including searches necessary to initiate Skype calls, are observable by the Skype network.

This means that even unprivileged network participants can analyze traffic and determine that one user is calling another. It is unknown whether the Skype network allows some hubs to view all search queries and call logs, or whether each hub can instead see only a portion of the total traffic.

What if Skype actually uses encryption?

Skype says its systems use the RSA encryption algorithm for key exchange and 256-bit AES for bulk encoding. However, Skype does not publish its key exchange algorithms or its network protocol, and, despite constant requests, refuses to disclose the principle underlying the identification system of its certificates or the implementation of encryption. Therefore, it is impossible to confirm the company's own statements regarding the encryption process. It is quite possible that the data, although encoded, is not secure enough.

Even if Skype does provide encryption, it is possible that Skype transmits encryption keys over voice channels (which may be encrypted with a different set of keys) or archives the keys on the user's hard drive in a different way. Access to these keys would allow third parties to decrypt recorded Skype conversations. A similar share-key feature could be built into Skype, either for testing or at the request of police or intelligence agencies. Even if Skype does not currently have such monitoring features, they may be added in the future, and the modified client will then be distributed throughout the Skype network, either to all users or to those who meet certain selected criteria.

The above situation must be taken into account. A conversation on Skype is significantly more confidential than a conversation on a traditional analogue or ISDN phone. These conversations can be listened to by anyone with physical access to the telephone line at any point between any of the speaking parties.

The strength of Skype encryption in general

Skype is also more reliable than today's VoIP systems, since encoding is not part of most VoIP offerings. However, it is possible to secure a VoIP conversation by routing VoIP traffic through a virtual private network (VPN).

A system using VoIP over a VPN is arguably more secure than Skype, provided the VPN is configured correctly.

It is important to understand that the reliability of Skype can be undermined by the presence of spyware modules or other types of tracking programs that are running on the user's computer. For example, programs such as Netbus and Back Orifice allow unauthorized persons to turn on a computer's microphone and send sound recordings over the Internet to someone else's computer. Such a program can eavesdrop not only on Skype conversations, but also on any other conversations that occur in the office where the computer with the Skype program loaded is located.

• There are other points regarding Skype security that users should be aware of:
• Although it appears that the Skype client does not record or store Skype conversations, it can log text message history in an archive file for each user. Skype allows completed conversations to be logged by default, in other words all text messages are recorded until the user takes action to reverse the process. These files can be extracted using spyware modules, other remote applications, or unauthorized physical access to the computer system.
• Since all Skype users are loaded into the same so-called "cloud", any Skype user can find out if any other user is currently logged in to the program.
  It is unclear whether hubs can monitor voice traffic that passes through them. Skype representatives claim that such monitoring is impossible due to the use of encryption. It is logical to assume that such monitoring is truly impossible. It is possible that Skype employees think that such monitoring is impossible, but there is some flaw in their protocol or system design that makes such monitoring possible. Many similar flaws were found in other cryptographic protocols after they were used.
• SkypeIn and Skype Out can use encryption up to the Skype gateway, but phone conversations are then decrypted and sent over the standard public telephone network. That is, at this point, calls can be subject to illegal listening and monitoring.

Ultimately, you need to remember that the reliability of the Skype system also entirely depends on the conscience of Skype programmers and the organization of the work of Skype servers. It is possible that there are loopholes in the system that allow Skype or other companies to eavesdrop on or record Skype conversations. Theoretically, Skype's developers could even build a backdoor into the system that could use a special program to turn on the microphone on the computer to either record all the sounds in the room on the hard drive or send that data over the Internet to another computer. Similar loopholes and traps can also be introduced into any Skype program, or these features can be added later to individual users' Skype programs.

Identification

Each Skype user has a username and password. Each username is registered to a specific email address. In order to log in, the user must enter his username and password. If the password is lost, Skype will change the password and send a new one to the user's registered email address. This approach is called Email-Based Identification and Authorization; the Skype client also has the ability to “remember” usernames and passwords and perform automatic logins.

An additional complexity to the Skype system is its network. It appears that the Skype network is used to authenticate usernames and passwords, but it is not entirely clear how exactly this is done. For example, Skype hosts can send an encrypted combination of usernames and passwords back to the Skype servers for authorization. They can also send back an unencrypted combination of usernames and passwords. The Skype network may not be involved at all, and all information transfer between Skype clients may serve other purposes. However, if the Skype network is still involved in this, then several attack options are possible:

• A Skype client can find out the name and password of registered Skype users and then use this information for evil purposes.
• If a Skype user gains access to the Skype network through a malicious ISP, it is possible that that ISP could forward information originating from that user to the attacker's Skype host. Thus, this Internet provider has the opportunity to find out any of the Skype user passwords.
• Also, the attacker's node can imitate real identification, which will allow the client to log into the system as another Skype user, even if the password of this user is not known.

Since Skype is a voice communication system, its users can identify the people they are communicating with by their voice. That is, the voice has biometric qualities. However, this does not work when communication occurs only through the exchange of written messages and files.

In a normal situation, Skype's authentication system appears to provide the same level of identification as other username and password based systems such as AOL or HotMail. That is, most people can control their mailboxes, but sometimes attackers can find out someone else's password through guesswork, social engineering, the use of keyloggers, or through an intercepted message used to recover the password. Computer administrators can also give away passwords, set new ones, or otherwise allow attackers to impersonate a registered user. At the same time, it can be assumed that the person you are communicating with on Skype is actually the one whose name you see, but you do not have an absolute guarantee of this.

Availability

One of the great engineering achievements of the 20th century was widespread access to the public telephone network. In many countries, users experience minor downtime of as little as 5 minutes per user per year or less, which is equivalent to 99.99905% availability.

Although the original design of the Internet assumed that the network could withstand the loss of some critical links (see the chapter on "fault tolerance" below), this has only recently become a goal of Internet equipment designers and manufacturers.

The quality of Internet service in general is still inferior to telephone service. Thus, it is possible that telephone calls over the Internet are less accessible than calls over public telephone networks. (Some commentators have noted that the availability of telephone networks is decreasing due to deregulation, and that the availability of a single system is less important given the widespread availability of multiple overlapping mobile networks.)

Additional factors may undermine the potential availability of Skype. Since the Skype client relies on username and password authentication, it is possible that the entire Skype network will cease to function if the Skype authentication servers fail or are otherwise unavailable. Existing VoIP systems do not have this problem, although those systems that rely on a single gateway service will experience a general breakdown if that gateway fails. (For example, all Vonage users will be unable to use telephone service if the Vonage gateway fails.)

fault tolerance

Device Internet allows Internet service providers to choose how fault-tolerant they want their systems to be. If an organization connects to the Internet through its mail server using a single DSL line, and that line goes down, then mail will not work. On the other hand, if an organization has two DSL lines, email will function if one of those lines breaks down. Fault-tolerant systems are usually more expensive than systems with a single failover point. In addition, fault-tolerant systems may, in rare cases, provide better day-to-day performance than non-fault-tolerant systems. As a result, most Internet users and Internet service providers do not use systems that can withstand the accidental failure of one or more of its components.

It is not known whether Skype identity servers can withstand network outages or attacks.

Sustainability

Packet switched networks are incredibly resilient. In most cases, Internet connections can be restored faster than traditional telephone networks by deploying wireless network technologies. An additional benefit of Skype and other VoIP systems is that these systems were designed with mobile users in mind. They do not depend on changing user IP addresses.
As a result, Skype and other VoIP systems in general are more resilient to network outages. If the network in a building goes down, you can simply take the computers or VoIP phones, move them to another location and connect them again. Once your computer is registered with the Skype network, you will be able to make and receive calls regardless of your new location.

On the other hand, Skype clients would almost certainly not be able to function if Skype's reverse identity network became unavailable. This can happen as a result of a network breach, certain types of hacker attacks, hostile intrusion, or in the event of the closure of the parent company. In this case, the Skype network may become unavailable to some or even all Skype users.

Conversation Integrity

The conversation integrity provided by Skyp has not been fully explored.

However, in practice, Skype transmits voice well, and text messages and files are also transmitted without distortion. But when using Skype on 802.11 wireless networks, voice quality suffers significantly.

Compatibility

It is clear that network administrators are concerned about software downloaded by users.
security, the use of which may have unpredictable consequences.

Many universities, for example, complain that students using file-sharing systems like KaZaA consume large amounts of traffic and potentially expose their schools to legal action from owners whose copyrights may be infringed. KaZaA users can also share the contents of their computers without even being aware of it.

Since communication using Skype is limited to voice only, the overall network load created by the “supernode” must be doubled due to the node acting as an authoritative node and duplicating communications.

It is not known how this can be avoided.

Overall, Skype appears to be more reliable than traditional analogue or ISDN telephony, but no more reliable than VoIP systems using virtual private networks (VPNs). There is a possibility that the Skype system could be hacked by an experienced specialist or a targeted attacker.

When using Skype, the following recommendations may be helpful:

1. Make sure that every computer on which you use Skype is free of spyware, adware add-ons, remote control programs, worms and computer viruses.
   • All computers running Windows software should have the latest anti-virus and anti-spyware software.
   • You can download a free antivirus program
   • You can download a free anti-spyware program
2. Although there is a small risk when using Skype to communicate with KaZaA 3.0 users, KaZaA 3.0 should not be used as a replacement for Skype given the potential liability that arises when proprietary files are shared without the permission of the owners of those patents.
3. The username and password combination for Skype should not be used for any other programs.
4. The username used for Skype should not be easy to guess.
5. It should not be associated with the user name, organization name, or generally known facts about the user.
6. Usernames and passwords should be changed on a regular basis, especially if Skype is used to transmit sensitive information. When usernames are regularly changed, it becomes more difficult for an attacker to track the actions of a specific user. And regularly changing passwords reduces the time period during which a given password can be used.
7. Although Skype claims that the Skype network cannot be used to spread computer viruses, the truth of this claim has not yet been proven. In particular, a buffer overflow in the voice decoder allows another Skype user to execute commands on the system on which the user was working.
   In addition, files transferred via Skype may contain viruses and/or spyware.
8. Remember, just because Skype is most likely encrypted, the conversation will be decoded on the other end of the conversation. There is no way to make sure that the person you are talking to is not recording your conversation. The use of coded conversations is not a substitute for being careful about the content of what you say on Skype.