Is strong crypto worse than weaker crypto? Lessons from Skype

A mantra in the security community, at least among some, has been that crypto that isn't really strong is worse than having no crypto at all. The feeling is that a false sense of security can be worse than having no security as long as you know you have none. The bad examples include of course truly weak systems (like 40 bit SSL and even DES), systems that appear strong but have not been independently verified, and perhaps the greatest villian, "security through obscurity" where the details of the security are kept secret -- and thus unverified by 3rd parties -- in a hope that might make them safer from attack.

On the surface, all of these arguments are valid. From a cryptographer's standpoint, since we know how to design good cryptography, why would we use anything less?

However, the problem is more complex than that, for it is not simply a problem of cryptography, but of business models, user interface and deployment. I fear that the attitude of "do it perfectly or not at all" has left the public with "not at all" far more than it should have.

An interesting illustration of the conflict is Skype. Skype encrypts all its calls as a matter of course. The user is unaware it's even happening, and does nothing to turn it on. It just works. However, Skype is proprietary. They have not allowed independent parties to study the quality of their encryption. They advertise they use AES-256, which is a well trusted cypher, but they haven't let people see if they've made mistakes in how they set it up.

This has caused criticism from the security community. And again, there is nothing wrong with the criticism in an academic sense. It certainly would be better if Skype laid bare their protocol and let people verify it. You could trust it more. Read on... But what's interesting is that while being criticised in this fashion, Skype has also done more to put crypto into the hands of the public, for use in person to person communications, than anybody. More than Phil Zimmerman's PGP. Certainly more than any other encrypting phone. With Skype, in fact, we have reached an important milestone: The use of crypto in Skype does not immediately tag you as a privacy-concerned cypherpunk. Everybody uses crypto with Skype, so it's not unusual to do so. With all other tools, you have had to go out of your way to get it, and make sure the other person does too.

I believe the push for perfect crypto has resulted in some poor choices by software designers. The vast majority have just left crypto out of their tools. One primary reason is that it's hard to get right. Another is that it often requires a complex UI that users have historically rejected, with certificates and PKIs. There are other reasons, including the export restrictions we at EFF fought like hell to get struck down, but these are important and decisions have left 99% of internet traffic unencrypted, or "in the clear."

Skype does what I call ZUI -- Zero User Interface. And the result is millions encrypting. ZUI requires some cryptography compromises. You are a bit more subject to the "man in the middle attack" if somebody can make all your internet traffic go through them. But it turns out anybody who can do that usually has a lot of other ways to get at you, so this is not as much of a compromise as some people think.

Many cryptographers, paid to design security for banks or spy agencies, assume a much too large "threat model" in designing their systems. Because they can design a system that can protect a bank or spy, they ask "why wouldn't you?" And by asking that, I think they have caused more and more systems to have no crypto because the programmers don't have the resources, or won't muck up the UI as might be needed to make the crypto as strong as it can be.

Skype's proprietary nature is also interesting. After giant protocol wars, with SIP the winner, Skype decided to ignore them, and design their own protocol which they keep closed. (They talk SIP to send calls to the regular phone network, but users don't see this.) Doing so gave Skype tremendous latitude of design. They controlled both ends, and did not have to test with other people's software. This allowed them to move more quickly, and create a "just works" application. It's much harder, with open tools, to create a "just works" application because you must make it work with all sorts of software you don't control.

The public loved it. In spite of all the good things about open standards, Skype leapt over them in a few months, by deliberately not letting other people see their protocol and try to talk to it. And so they keep their protocol, and their crypto, locked up. A determined reverse engineer can and someday will decode it, but for now things worked very well for them, and their users seem to agree.

Skype's crypto might have a flaw, but none has been publicised yet. I wouldn't trust it as well as a more scrutinized system, but in fact it's not an all or nothing game as some cryptographers would have you believe. I think you can put a decent amount of confidence in Skype if your "threat model" is the script kiddie sniffing the wireless network at your Starbucks. For that threat, it is a lot better than talking on an unencrypted system, which is what you will get from almost everybody else unless you go to a lot of trouble.

Skype, of course did this encryption not simply because they believed in it. Skype's architecture routinely routes voice traffic through other Skype users with real IP addresses in order to get past NATs. Had they not encrypted, nasty users running these supernodes would be routinely listening in on the calls going through them, and even putting them up on the web. Skype had no choice but to encrypt. Other VoIP tools tend to only send voice through selected service provider nodes, or do it purely peer to peer, and the opportunity for random wiretap is less (but not zero.)

More on the lessons here on an upcoming essay about how Skype could kill SIP.

Comments

If Skype "kills" SIP, it won't be because of anything Skype did particularly well (IMHO). It will be because only Skype seems to get free adverstising from any and every commentator.

It seems that the dozens of standards-based VoIP operators almost never get mentioned by name (although they often get acknowledged as a group), despite their millions of collective users and their increased flexibility in how the applications get used. Naming only one or two seems unfair, so only the proprietary S-word gets cited at all. Or, occasionally, some commentator will try to complain about this or that perceived failure of one of the standards-based operators.

You've confused cause and effect. People write about Skype because it is popular and interesting, not the other way around. It got a bit of a publicity pop from its authors' prior success but largely it got there by doing a lot of things right. Simple install, always-works NAT traversal, simple UI, high quality sound codecs.

I challenged the authors of Skype "Why don't you let it call SIP phones?" They answered, "Why, who can you call with SIP?"

Sadly, I determined they were right. There are lots of SIP devices out there, but nobody puts a SIP URL on a business card. The devices all work in their private number spaces or via PSTN connection.

They did put in SIP to do PSTN termination, but they don't let you use it to call SIP phones, and sadly, they don't need to. I had many discussions with many of the leading lights of SIP to ask how many people you could call with a SIP URL, and it's generally accepted it's now a lot fewer people than are on Skype.

It's true: you don't call people with a SIP URL. It would be like dialing on the PSTN with a TID ("Terminal ID", or the actual line address within the switching network). Do you publish a "Skype URL?" No.

Instead, you dial the interoperator code for your provider and "dial through" to the target subscriber. Much like international dialling. And before people criticize it for its "complexity", it's the same as SkypeOut. Except that you can't do it on a closed system such as Skype.

For example, on Pulver's FreeWorldDialup:
http://www.freeworlddialup.com/content/view/full/333/

Sure, the Skype UI did some things well. And the Pulver.communicator does some things well. And other clients do some things well. But if Skype were open and standards based, then the best UI could win. If any other UIs got the sort of proselytization that Skype has had, we'd all be much better off.

But the point is that even though the dream of the SIP URL, which was intended to become like an E-mail address for VoIP, did not get realized, the number of people you could call on SIP phones was still too low for Skype to bother allowing it. At the time I did my study a year ago, there were perhaps 5,000 logged on to FWD at any given time, a few thousands more in the other SIP networks. Vonage allowed SIP interconnect for a while but shut it down. (No, calling somebody with a PSTN termination is not calling somebody with SIP, and in any event, Skype did that pretty quickly.)

If you could find their URLs, there are a modest number of companies and institutions that let you call their phone system with SIP, but the number then, and still today, was a few hundred thousands. Skype now reports typically over 3 million actually logged on and ringable, and far more installed.

I mean to have another thread about this, but ask yourself, how many SIP phones can you ring right now with the normal UI of your device? SIP is being used primarily for PoIP right now (PSTN over IP)

Hmmmm Skype has not killed voip, i accept all that you have all said above however the plain fact iss, that I want people from outside to be able to call me on my landline number AND my SIP if they want to. Astratel did allow this, but I had issues with their service so left and my current provider does not have voip.

Regards.

Graham.

It's true: you don't call people with a SIP URL. It would be like dialing on the PSTN with a TID ("Terminal ID", or the actual line address within the switching network). Do you publish a "Skype URL?" No.

Instead, you dial the interoperator code for your provider and "dial through" to the target subscriber. Much like international dialling. And before people criticize it for its "complexity", it's the same as SkypeOut. Except that you can't do it on a closed system such as Skype.

Add new comment