Today I found an entry on slashdot.net with the headline “Chapel Hill Computational Linguists Crack Skype Calls.” An introduction to the story claims that computational linguistics has been “used to crack Skype encryption.” Is this true? Well, your mileage may vary, but after reading all I could about the situation, I’d have to say “yes, it is true.”
At the same time, it’s also true that the encryption used in Skype communications — AES-256, also used to power AlertBoot’s laptop encryption software — remains intact and unbroken.
At this point, you might be scratching your head and saying, “huh?” Some of you might even be reminded of Schrodinger’s cat, he of dual life-states until the box is opened. The situation is quiet easy to explain. It’s a matter of terminology.
Skype Cracked, AES-256 Unaffected
Skype makes use of AES-256 to encrypt its calls. Skype encryption has been cracked; and yet, I claim that AES-256 remains unbroken. What gives?
Well, it’s the way that Skype’s encryption was broken. What the computational linguists have done is best summed up thusly:
The simple description is: By looking at the size of the encrypted data packets you can guess what phonemes were spoken. Yes, that’s all there is to it. They are just looking at how much data is sent and guessing what might be said that reasonably fits in that size. [Anonymous Coward]
That’s really the gist of it. Phonemes are the building blocks of speech, if you weren’t aware (I wasn’t).
To put it in another way, although Skype’s transmissions are secured with encryption (in this case, AES-256), it’s a moot point because the size of each encrypted data packet gives enough clues to figure out what’s in that encrypted packet.
So Encryption is Not Broken?
Erm…not quite. It’s complicated, as this heated argument shows (possible NSFW language). It’s a matter of how you want to define “encryption is broken.”
In Skype’s case, it’s not incorrect to say that the encryption is broken (and broken because, in hindsight, it was badly implemented), since the protected message’s contents can be figured out from the scrambled message itself. I mean, if you can consistently figure out the actual message from the encrypted message itself, that’s the definition of busted encryption.
At the same time, the integrity of AES-256 is unaffected: there might be another VOIP provider other than Skype where this issue does not pop up while using the same cipher. So, the weakness lies with Skype (although, in its defense, most if not all VOIPs suffer from the same problem, apparently). Hence, the “dual state” where Skype encryption is broken and yet not broken (perhaps the explanation would be easier to comprehend if AES-256 had been broken; the world would be a sad place for it, though).
Of course, it’s also false to say that Skype’s encryption is broken when you think about it: the researchers found that their method is quite effective…when it works. Consistency seems to be the key obstacle, but we all know how technology progresses, right?
For the time being, I wouldn’t worry about the privacy of my Skype conversations, although Skype has been given a very pressing reason to go back and check their software design.