Has there been any peer review of Skype's encryption?

Do we in fact know anything about the strength of this encryption?

And if it's good, can we expect various governments to demand a back door?

Do I understand that you claim that voice stream does not pass through a third Skype client (Supernode or not)? If so, tell me how does Skype traverses symmetric NATs or even port restricted NATs? I understand that some countries have symmetric NATs in the ISP. Skype users of these ISPs require a media proxy node (probably Skype does not call them supernodes).

Hey Aswath!

Actually I do not claim that, no one outside Skype knows exactly how the Skype application works. Skype Staff have said several times that the maximum bandwidth the supernode deals with is 5 kbs. A voice channel requires 32 kbs.

The same point goes for how the Skype application traverses any NAT. No one really knows. However Skype staff have referenced this paper by Ford: http://www.brynosaurus.com/pub/net/draft-ford-midcom-p2p-03.txt several times on the Forum. The Skype web site: http://www.skype.com/help/faq/filetransfer.html
also suggests using a site I believe was developed by Ford: http://midcom-p2p.sourceforge.net/ to test that your router is UDP friendly.

None of this tells us how the Skype application works, but it helps me understand the technology a little better.

After a couple of years monitoring Skype Connections I have failed to find a voice channel through a supernode. So, if they exist, they are hard to find. :) :)

I do not fully understand your question about media proxy nodes. Maybe you could help me. I have certainly noticed that Poland for one has many ISPs requiring users to use a proxy server.

Maybe someone else will contribute an answer to your question.

Thanks for your comment. I hope I have been helpful.

Regards, Bill

his paper from Columbia (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) seems to suggest (page 9) that in certain cases the media need to be routed thorugh a third Skype client, which I call a supernode. My guess is that either your client is on public Internet or behind a full cone NAT; that would explain your observation. I am told that some ISPs place a symmetric NAT in their network. Skype needs to use "media proxies" or supernodes to serve Skype users who are served by these ISPs. In my previous comment I was suggesting that there are instances (that are outside the control of the user and Skype) when a media proxy need to be used.

Hey Aswath!

Welcome back> :) :)

I am glad you brought this "paper" up. I commented on it in the Forum back in January in the Skype Forum: http://forum.skype.com/viewtopic.php?p=69679#69679 and in the same thread Skype Staff jaan supported my thoughts.

I should be flattered, this paper has cited for Reference (# 7), an article I wrote for Skype Forum Members, but flattered I am not. At least this paper uses the word “conjecture” six times, although the synonym, “guess” would have more effectively communicate the situation. The paper makes a good effort, but the experiment is flawed. The authors collect their data from two computers with CPU’s of vintage P2 200 MHz. Where as the minimum specification for Skype to perform to specification is a 400 MHz. Not good science when your goal is to find out how something works, not how it doesn’t work. Perhaps that is one reason the paper remains in the “unpublished” category.

Skype does not need proxies. Many users (millions I suspect) operate behind proxy servers. Sometimes to conserve bandwidth and sometimes for security. Skype has provisions to support operating in a proxy environment.

Again, I hope I have been helpful Aswath.

Regards,

Bill

Bill, thanks for patiently explaining your observations and understanding regarding Skype. I agree that we have our differences and only time will reveal the true workings of Skype.

For example, the Nokia paper that you reference in the Skype forum also says that depending on the nature of NAT/Firewall, the media need to be relayed through a third point. As you suggest that if Skype is able to do it otherwise, IT is the revolutionary aspect of Skype. Or there is another explanation for your empirical observations. I am sure that you will agree with me that if we don't understand them and the conditions change, then the system may not function as expected. For example, if the ISPs introduce symmetric NATs, then the population of supernode will be thinned and the viability of Skype will be in question. Also, as I claim and the Nokia paper agrees, that the users belonging to these ISPs will require media relay points again threatening Skype architecture.

I recall one blogger praising Skype during initial days that Skype is able to go through all NATs and Firewalls. Recently, he told us that he doesn't use Skype whenever he visits his customers because of the difficuly in traversing corporate firewalls.

In any event I appreciate your taking time and responding to my comments.

Hello again Aswath!

You keep bringing up "media" being relayed. Media to me refers to the voice traffic. NAT traversal means traversing the NAT, not going around it. Supernodes manage the NAT traversal and allow the set up of a peer to peer connection.

Now, SIP on the other hand, do propose a "media proxy" as a solution to a problem SIP has in traversing NATs. Many papers that discuss the traversal problem discuss both SIP and Skype in the same pages. Maybe this is causing confusion. I do not pretend to know how Skype works; but work it does.

However, you are correct when you suggest that when every computer on the Internet is behind a NAT Router (like me) we will be left talking to ourselves. :) :)

Are there not some simple, practical work arounds to this potential issue?

Regards,

Bill

Hey Julian!

As far as we know there have been no peer reviews of Skype's encryption.

If the NSA could break it I doubt they would reveal this information; on the other hand if they couldn't break it I doubt they would tell us that either. :) :)

Regards,

Bill

Hey Aswath!

You disappeared.

I found you an interesting link from Simson: http://www.interesting-people.org/archives/interesting-people/200501/msg00235.html

We do live in a real world. And we do need to make choices. Skype is a good choice.

Enjoy.

Regards, Bill

I'd like to address the three points that were raised in objection to my white paper:

1. On Page 3 Simson states that "voice quality was significantly degraded" when connected via a dialup modem at 26 kbps. The minimun specification stated by Skype is 32 kbps so why is this point in the document?

Answer: Because the organization that comissioned the report specifically wanted to know if Skype could be used on dial-up modem connections. At the time the report was written, several Civil Society orgnazations in countries with repressive governments were interested in using Skype over their dial-up modems, but they had been told by crypto zealots that Skype was not secure. So the primary goal in this paper was to evaluate the security of Skype vs. conventional analog POTS lines, but a secondary goal was to evaluate the usability of Skype over dial-up.

2. On page 6, Simson says, "It is not known if a supernode can monitor the voice traffic moving through it." It has not yet been shown that in fact voice traffic is ever carried by or through a supernode. This thread on the Skype Forum with comments from Skype Staffer jaan seems to indicate it does not. In fact Skype has said that the maximum bandwidth used on a Supernode is 5kbs. Since a call requires a minimum of 32kps you can be sure that the supernode never has access to your encrypted voice stream.

Answer: I submit to you that a posting by a skype staffer doesn't constitute an official policy statement by the company. In any event, how do you know that the maximum Supernode bandwidth is 5kbps? I've heard stories of supernodes pulling down megabits per second.

3. On Page 8, another error of fact. "...when Skype is used over an 802.11 wireless network. In this case, voice quality suffers considerably." I suggest some 20 percent of Skype Users in fact use Skype on such a network. I know of no degredation.

Answer: It's great that you have experienced no degredation. I experienced degreadation. When I asked the folks at Skype about the degradation, they said that it frequently happens on 802.11 networks and that they were trying to work around it.

Please, Bill, if you don't understand, don't just parrot other people's conclusions. They might know as little as you. Skype says the limit on supernodes is 5 kilobytes per second (if we can believe that). Calls take 32 kilobits per second. It amazes me how many idiots out there have no idea what the units are. You yourself quote "5 kbs" and "32 kps". I'll help you out here. There are 8 bits in a byte. Thus, 5 kilobytes per second (properly abbreviated kBps or kB/s) is therefore equivalent to 40 kilobits per second (properly abbreviated kbps or kb/s). 5 kBps is therefore larger than 32 kbps. So, a supernode *can* carry other folks' voice traffic, even if we choose to believe Skype's own bit rate limits. And for all those folks that claim they've never seen it happen, so it therefore doesn't? Tell me, if all Skype traffic is so well encrypted that security conscious network admins can't figure it out or block it, then how do these people know their supernodes aren't carrying other folks voice traffic? Please, if you don't know something to be true, then don't claim otherwise or quote other ignorant peoples' claims.