Tuesday, September 21, 2010

Encrypted Phone Calls & Skype Security

        After hearing so many fuss and concern about the blackberry encryption and government agencies concern. This entire episode reminded me one of the risk assessments of 2008 on usage of Skye in corporate network. Although at that time I was biased and already told by superiors that and RA should give enough reasons to stop the Skye Access from corporate network because of some of the corporate concern on the Skype usage but at last the observation and finding was quite amazing. Like to share that finding with all.

As the section in ISO 27001 and PCI DSS covers cryptographic controls states that, when developing a cryptographic policy, consideration should be given to the use of encryption for the protection of sensitive information transported by mobile or removable media, devices or across communication lines. I know many organisations routinely use encryption to secure thumb drives, laptops, emails and instant messaging, but when it comes to discussing sensitive information over the phone, far fewer employ some form of encryption.
Depending on the nature of business, it may be appropriate for some employees to consider using devices developed for the National Security Agency's Secure Mobile Environment Portable Electronic Device (SME PED) program, such as the Sectéra Edge from General Dynamics C4 Systems. Such devices are certified to protect wireless voice communications classified as "Top Secret," as well as access email and websites classified as "Secret."

Encryption devices for landlines are expensive and usually require all parties to have the same kit installed in order to work. And, after all, is anybody really going to tap into your phone line?

        Depending on business, the answer may be yes. Recent stories of industrial espionage and investigative journalism show that eavesdroppers do attempt to listen in on calls regarding certain industries and types of information. So is there an easy and low-cost way to enable encrypted phone calls between colleagues or clients? While there are currently no products for encrypting landline calls that meet that description, Skype provides a free and secure way to make voice over Internet Protocol (VoIP) calls and is well worth bearing in mind as a form of communication for those organisations that want to follow their encryption policy to the letter.

When considering the pros and cons of Skype, take into account that encryption is inherent in the Skype protocol, so it can't be turned off; it is also completely transparent to the user, so there's no chance that he or she can inadvertently disable it. Other Skype features such as instant messaging, file transfer and video conferencing -- which also includes inherent encryption -- may or may not be of interest, but a big plus of using Skype is that calls to other Skype users are free, with cheap rates for calls to landlines and mobile phones. On this what government agencies are going to argue?

Skype security reportedly uses non-proprietary, widely trusted encryption techniques such as RSA for key negotiation and 256-bit AES to encrypt conversations; the technology also uses a proprietary protocol and is closed source. Skype's chief security officer Kurt Sauer has said that there are no backdoors in their software to bypass the encryption on a call, but he has also said that the company complies with all government requests, implying that it might allow governmental eavesdropping when forced to by law, and Skype has never flatly denied that an attacker might be able to intercept traffic. So we've no way of knowing if there is, or if there will be, a backdoor.

But given that users are unlikely to discuss information of interest to the national security services, Skype does provide strong security for most calls. Any eavesdropper would most likely find it impossible to decipher a conversation and, unlike traditional calls, there's no constant circuit between the parties as the voice data is sent via packets switched along thousands of router paths. However, the fact that encryption cannot be turned off and is completely transparent to the user is what makes Skype so appealing from an information security perspective. Encryption, particularly PKI, is notoriously difficult to roll out on a large scale, yet Skype provides easy-to-use encrypted communication for everyone.

For those organisations with a mobile workforce, Skype is also available for various smart phones, providing the same built-in encryption functionality. There is even an iPhone version. However, some network operators do not allow Skype calls to be made over their 3G network s for fear of lost revenue, restricting it to paid-for Wi-Fi use only. Now is it governments agencies are going to ban the Skype and other such products usage?  

1 comment:

Mayank Trivedi said...

Pretty Interesting and Well Covered Topic. However, my concern still lies around decipher key availability to Security Agencies. I had already raised my concern on Blackberry issue on the name of national security....Though, I am not against Govt having the requisite access, but what about the Data Protection??? and Assurance to the Corporate on use of accumulated Data for the purpose it is collected???? Please Refer to the recent incidents of Radia Tapes where one of the Tapes had her and Ratan Tata's Conversation....and the Successful Hack of CBI's Website...

I would reiterate my concerns in this case also. I am not sure, how many have known the fact that Google, Skype and other services providers are next in line of fire from the Govt for access to the deciphered information....be it mail / message or any other....The Risk still would be rated as high "Particularly when the Country DOES NOT have a Data Protection and Data Privacy Regime"