- Skype Protocol
Skype uses aproprietary Internet telephony (VoIP ) network. The protocol has not been made publicly available by Skype and official applications using the protocol areclosed-source . The main difference between Skype and VoIP clients is that Skype operates on apeer-to-peer model, rather than the more traditional server-client model. The Skype user directory is entirely decentralized and distributed among the nodes in the network, which means the network can scale very easily to large sizes (currently about 240 million users) [ [http://www.apcmag.com/6774/1_million_joost_users_prepare_for_year_end_launch 1 million Joost users prepare for year-end launch] ] without a complex and costly centralized infrastructure.The Skype network is not
interoperable with other VoIP networks. Numerous attempts to study and/or reverse engineer the protocol have been undertaken to reveal the protocol, investigate security or to allow unofficial clients.Protocol
A Skype network is a
peer-to-peer network with three main entities: supernodes, ordinary nodes and the login server. It is anoverlay network : each client builds and refreshes a list of reachable nodes known as the "host cache". The host cache contains IP address and port numbers of supernodes. Communication is encrypted usingRC4 ; the method used does not provide any privacy but instead merely obfuscates the traffic.Supernodes relay communications to other clients behind a firewall. Any skype client can become a supernode if it has good bandwidth, no firewall and adequate processing power. Supernodes are grouped into "slots" (9-10 supernodes). Slots are grouped into "blocks" (8 slots).
Skype also routes calls through other Skype peers on the network to ease the crossing of
Symmetric NAT s and firewalls. This, however, puts an extra burden on those who connect to the Internet without NAT, as their computers and network bandwidth may be used to route the calls of other users.The Skype client's
application programming interface (API) opens the network to software developers. The Skype API allows other programs to use the Skype network to get "white pages" information and manage calls.The Skype code is
closed source , and the protocol is not standardized. Parts of the client useInternet Direct (Indy) , an open source socket communication library.Protocol Detection
Many Networking and security companies claim to detect and control Skype's protocol for enterprise and carrier applications. While the specific detection methods used by these companies are often proprietary, Pearson's Chi-Square Test and stochastic characterization with Naive Bayesian Classifiers are two approaches that were publicly published in 2007. [ [https://www.dpacket.org/articles/revealing-skype-traffic-when-randomness-plays-you Dario Bonfiglio et al “Revealing Skype Traffic: When Randomness Plays with You,” ACM SIGCOMM Computer Communication Review, Volume 37:4 (SIGCOMM 2007), p. 37-48] ]
Preliminaries
Abbreviations that are used:
* SN: Skype network
* SC: Skype client
* HC: host cachekype client
The main functions of a Skype client are:
* login
* user search
* start and end calls
* media transfer
* presence messagesLogin
A Skype client authenticates the user with the login server, advertises its presence to other peers, determines the type of NAT and firewall it is behind and discovers nodes that have public IP addresses.
To connect to the Skype network, the host cache must contain a valid entry. A TCP connection must be established (i.e. to a supernode) otherwise the login will fail. 1. start 2. send UDP packet(s) to HC 3. if no response within 5 seconds then 4. attempt TCP connection with HC 5. if not connected then 6. attempt TCP connection with HC on port 80 (HTTP) 7. if not connected then 8. attempt TCP connection with HC on port 443 (HTTPS) 9. if not connected then 10. attempts++ 11. if attempts=5 then 12. fail 13. else 14. wait 6 seconds 15. goto step 2 16. Success
After a Skype client is connected it must authenticate the username and password with the Skype login server. There are many different Skype login servers using different ports. An obfuscated list of servers is hardcoded in the Skype executable.
On each login session, Skype generates a session key from 192 random bits. The session key is encrypted with the hard-coded login server's 1536-bit RSA key to form an encrypted session key. Skype also generates a 1024-bit private/public RSA key pair. An MD5 hash of a concatenation of the user name, constant string (" Skyper ") and password is used as a shared secret with the login server. The plain session key is hashed into a 256-bit AES key that is used to encrypt the session's public RSA key and the shared secret. The encrypted session key and the AES encrypted value are sent to the login server.
On the login server side, the plain session key is obtained by decrypting the encrypted session key using the login server's private RSA key. The plain session key is then used to decrypt the session's public RSA key and the shared secret. If the shared secret match, the login server will sign the user's public RSA key with its private key. The signed data is dispatched to the super nodes.
Upon searching for a buddy, a super node will return the buddy's public key signed by Skype. The SC will authenticate the buddy and agree on a session key by using the mentioned RSA key.
UDP
UDP packets: IP UDP Skype SoF Skype Crypted Data01The Start of Frame (SoF) consists of:
# frame ID number (2 bytes)
# payload type (1 byte)
#* obfuscated payload
#* Ack/NAck packet
#* payload forwarding packet
#* payload resending packet
#* otherObfuscation Layer
The
RC4 encryption algorithm is used to obfuscate the payload of datagrams.
# The CRC32 of public source and destination IP, Skype's packet ID are taken
# Skype obfuscation layer'sinitialization vector (IV).The XOR of these two 32 bit values is transformed to a 80-byte RC4 key using an unknown key engine.A notable misuse of RC4 in skype can be found on TCP streams (UDP is unaffected). The first 14 bytes (10 of which are known) are xored with the RC4 stream. Then, the cipher is reinitialized to encrypt the rest of the TCP stream.
TCP
TCP packets: TCP Skype Init TCP packet
The Skype Init TCP packet contains
* the seed (4 bytes)
* init_str string 00 01 00 00 01 00 00 00 01/03Low-level Datagrams
Almost all traffic is ciphered. Each command has its parameters appended in an object list. The object list can be compressed. / Object List ... -
Enc -> Cmd -> Encod ^ Compressed List ... -
Frag |
------------------<---------------
Ack NAck Forward -> Forwarded..MessageObject Lists
An object can be a number, string, an IP:port, or even another object list. Each object has an ID. This ID identifies which command parameter the object is.
Object: Number IP:Port List of numbers String RSA key
Object List List Size (n) Object 1 . . Object n
Packet compression
Packets can be compressed. The algorithm is a variation of arithmetic compression that uses reals instead of bits.
Legal Issues
* Reverse engineering of the Skype protocol by inspecting/disassembling binaries is prohibited by the terms and conditions of Skype's license agreement. However there are legal precedents when the reverse-engineering is aimed at interoperability of file formats and protocols. [Sega vs Accolade, 1992] [Sony vs Connectix, 2000] [
Pamela Samuelson and Suzanne Scotchmer, "The Law and Economics of Reverse Engineering", 111 "Yale Law Journal" 1575-1663 (May 2002) [http://www.yalelawjournal.org/pdf/111-7/SamuelsonFINAL.pdf] ] In the United States, the Digital Millennium Copyright Act grants a safe harbor to reverse engineer software for the purposes of interoperability with other software. [17 U.S.C. Sec. 1201(f).] [WIPO Copyright and Performances and Phonograms Treaties Implementation Act ] In addition, many countries specifically permit a program to be copied for the purposes of reverse engineering. [In the french "intellectual property" law set, there is an exception that allows any software user to reverse engineer it. See [http://legifrance.gouv.fr/affichCodeArticle.do?cidTexte=LEGITEXT000006069414&idArticle=LEGIARTI000006278920&dateTexte=20080329&categorieLien=cid The official code] (in french). This law came from a european rule (European Union directive #91-250 dated may 14 1991, in the JOCE dated may 17 1991, article 6, L.122, page 42 (not found on the Internet))]References
*
*
*
*
*
*Notes
External links
* [http://www1.cs.columbia.edu/~salman/skype/ Repository of articles on Skype analysis]
Wikimedia Foundation. 2010.
