Reverse engineer extracts Skype crypto secret recipe

A group of code breakers led by Sean O'Neil reckon they have successfully reverse engineered Skype's implementation of the RC4 cipher, one of several encryption technologies used by the consumer-oriented VoIP service. The proprietary encryption technology is used by the VoIP service to protect communications exchanged between its its clients and severs. It also restricts what clients can access the service, a restriction Skype had plans to ease with the upcoming publication of an API.

O'Neil justified the publication of an open source emulation of the algorithm by arguing that Skype's technology is already under exploitation by instant message spammers, so his work only levels the playing field for security researchers. He criticised Skype for practising "security by obscurity" in keeping its algorithm secret for so long. O'Neil reportedly plans to explain his research in greater depth at a presentation before the Chaos Communication Congress (27C3) in Berlin in December.

Skype told Techcrunch that O'Neil's partial leak some months ago was what facilitated spam attacks against users of the VoIP service in the first place.

O'Neil's original blog posting has been pulled but copies can still be found in Google's cache (here). O'Neil has published the obfuscated Skype RC4 key expansion algorithm, only one of a battery of encryption technologies used by Skype. "There are seven types of communication encryption in Skype: its servers use AES-256, the supernodes and clients use three types of RC4 encryption - the old TCP RC4, the old UDP RC4 and the new DH-384 based TCP RC4, while the clients also use AES-256 on top of RC4. It all is quite complicated, but we've mastered it all," O'Neil explains. ®