Skype Encryption Stumps German Police

TallGuyRacer writes "German police are unable to decipher the encryption used in the internet telephone software Skype to monitor calls by suspected criminals and terrorists, Germany's top police officer, Joerg Ziercke, said. "The encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it. That's why we're talking about source telecommunication surveillance — that is, getting to the source before encryption or after it's been decrypted.""

Plenty of attacks left, thank you very much

[Noryungi]

According to this PDF document [skype.com], Skype encryption is based on open standard (such as AES, SHA-1, etc).

According to this article [wired.com], our good friends at the NSA "may" have put backdoors in some of the technologies that could be used by Skype.

And, then, according to this other article [theage.com.au], it does not matter what technologies you use, if your CPU is wide open to analysis and crypto attacks.

And, of course, there is the question of using a 'secure' communication system on a completely insecure operating system, such as Windows. Why do you think they talk of intercepting the communication before it becomes encrypted? Probably because the vast majority of suspects use Windows. Using Linux, or MacOS, would not be much of an improvement either.

Conclusion? Well, the Bundespolizei (that's German police to you) may not have the means to decipher your skype communications right now. But it's getting there, thank yo uvery much. And there are agencies out there who certainly can, and will.

And what happened to free german crypto? I thought Germany had the only sane policy about crypto in the industrial world?

Re:Skype unbreakable?

[GroeFaZ]

Exactly. The Anti-terror craze has long reached German lawmakers, and they are in a rage creating law after law (though not as bad as in the US and UK) and seeing what survives the Bundesverfassungsgericht, the court that decides if laws are against the German Grundgesetz (Basic Law, comparable to the US Constitution).

In the case of the "Federal Trojan", it was decided in 02/07 that such measures are illegal to conduct, and decisions made by the Bundesverfassungsgericht are equivalent to laws. So what they're doing now, they're keeping the discussion (and the fear-mongering) alive and continue to develop the trojan despite it being illegal, in an effort to undermine that decision. Most notorious for this behaviour is, of all people, our Minister of Interior, Wolfgang Schäuble. He repeatedly clamored and still clamors for this and other measures which are explicitely forbidden by the Grundgesetz and the Bundesverfassungsgericht, for example shooting down abducted planes. He's one of the single largest threats to what he has to protect by job description, namely the Grundgesetz.

Lost in Translation

[DancesWithBlowTorch]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to employ really good security experts.

Re:Skype unbreakable?

[Vlad_the_Inhaler]

The term GröFaZ was *not* something you wanted to be caught using when the Nazis were in power. It is a (disrespectful) abbreviation of 'Größte Führer aller Zeiten' (Greatest leader of all times) which was what the Nazi party propaganda machinery used to call their big boss.

Re:Skype unbreakable?

[Sique]

I like the old calculation we had in statistics:

- There is a severe sickness, which only one of 100,000 people gets.
- There is a test for this sickness, which is 99,9% accurate, that means, that the result of only 1 in 1000 persons is wrong. (In reality you have two numbers, one giving how high the rate is to give a false positive, and another one for the false negatives, but for the sake of the calculation we consider them equal).

How high is the chance, after you got tested positive, that you in fact have the severe sickness?

In 99 out of 100 this was a false positive.

The same goes for the search of terrorists.

Terrorists are very seldom, lets say that only 1 in 100,000 persons in Germany is a terrorist (this still gives 800 terrorists living in Germany, far too much compared with the number of terroristic acts committed!). Lets say that the police has means to be 99,9% accurate to tell beforehand if a suspect is a terrorist or not, before asking for secret computer searches.

It still means that in 99 out of 100 cases a complete innocent person's computer will be searched.

Re:Skype unbreakable?

[Vlad_the_Inhaler]

Back in the days of Ronnie R, the governments of Mozambique and Angola were:
a) - Communist (they may be still be)
b) - Neighbours of South Africa and supporting the ANC against the Apartheid S African government.
c) - Opposed by S African-sponsored rebel organisations (S Africa was trying to destabilise the opposition).

Both rebel organisations fit pretty much any definition of 'Terrorist' you can come up with. The US under Reagan helped finance both sets of terrorists in the name of opposing Communism.

The Contras in Nicaragua were almost as bad and they were pretty much a creation of the US.

The Taliban were also US sponsored (via Pakistan) for a while, at this point the line between terrorist and freedom fighter becomes blurred. That particular turkey has come home to roost.

Now going back to the actual article here:
Experts say Skype and other Voice over internet Protocol (VoIP) calling software are difficult to intercept because they work by breaking up voice data into small packets and switching them along thousands of router paths instead of a constant circuit between two parties, as with a traditional call.
If I was in Joerg Ziercke's position, I would probably announce that Skype's encryption was too strong once it had been cracked - to get the people you want to watch using Skype. Are the packets really sent along 'thousands of router paths'? Obviously the potential is there but I normally expect most of the packets to take the same route.
A few years ago it was announced that digital mobile phones could not be overheard, I wonder if that still applies.

Re:Lost in Translation

[Alphager]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to employ really good security experts.

Nope, Ziercke is President of the BKA, the Bundeskriminalamt. That's the federal equivalent of the LKA aka Landeskriminalamt aka Police.

Re:Skype unbreakable?

[Sique]

It's simple math.

If you randomly test 100000 people, only one of them will have the sickness. 99999 are healthy. Of those 99 will be tested positive because one out of 1000 will falsely be tested positive.

Re:Great

[abigor]

I wouldn't trust skype encryption to be secure, after all everyone has the capability of decrypting it with the skype client.

  I can't see how it would be that difficult to monitor traffic through an ISP's gateway.

This is incorrect - Skype uses RSA and symmetric session keys, not a permanently fixed symmetric key. Only the person(s) you want to hear your call will be able to hear it.

There is no way to monitor Skype traffic at the ISP.

You can read an independent security review here: http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf [skype.com]

Last Year 'German Officials' pwned Skype?

[vic-traill]

So last year we heard that mysterious 'German Officials' were

claiming they had technology for intercepting and decrypting Skype phone calls

from no less of a source than the New York Times (via Skype forums): http://forum.skype.com/index.php?showtopic=54163 [skype.com]

So, who pwns who?