Germany: Skype encryption, industry & police-WikiLeaks
January 25, 2008
[FACT comments: Skype encryption obviously is not breakable except by police breaking into your personal computer. To do so, if it’s really possible to do, costs 20,500 Euros, per computer. We doubt it’s feasible to do and we know it’s just too expensive for any government to accomplish unless the target is bin-Laden himself! That makes Skype secure and reliable, at least for the present.]
Skype and the Bavarian trojan in the middle
WikiLeaks: January 24, 2008
The PDF file obtained by Wikileaks and also released by the German political party Piraten, contains two scanned documents relating to activities of the Bavarian police, the German Ministry of Justice and the prosecutor’s office in intercepting encrypted data submitted via SSL or Skype via the Internet. The first one, presenting a communication on splitting cost between Bavarian police and the prosecutors offices, the second one presenting the related offer for the software by a German company called Digitask.
The technology, in high-level explained in the offer of Digitask, works via a local installation of a malware on the client’s computer.
An offer of interception technology
The offer dating September 4th 2007, replies an inquiry by Bavarian officials on the possibility of Skype interception, introduces a basic description of the cryptographic workings of Skype, and concludes that new systems are needed to spy on Skype calls.
It continues to introduce the so-called Skype Capture Unit. In a nutshell: a malware installed on purpose on a target machine, intercepting Skype Voice and Chat. Another feature introduced is a recording proxy, that is not part of the offer, yet would allow for anonymous proxying of recorded information to a target recording station. Access to the recording station is possible via a multimedia streaming client, supposedly offering real-time interception.
Another part of the offer is an interception method for SSL based communication, working on the same principle of establishing a man-in-the-middle attack on the key material on the client machine. According to the offer this method is working for Internet Explorer and Firefox webbrowsers. Digitask also recommends using over-seas proxy servers to cover the tracks of all activities going on.
The eventuality of delivery
The document interestingly holds some information on future dependencies, time schedules and similar things, and it quickly becomes clear, the solution presented here eventually delivers something. While it might be admittable that the recording server offered now might only be able to handle a lower amount of clients of Skype introduces new features like Video Chat, the first striking factor is a delivery time of 4-6 weeks for a single installation. Maybe by then or at some other time the software will also be Windows Vista compatible. Interestingly in 2008 software for Windows 2000 and Windows XP only is offered.
The delivery time also does not include installation on the target machine, but only provisioning of the software. Methods of delivery, which would be one of the more interesting features of such a software, include personal delivery to the target machine, and sending it as an e-mail attachment. While other methods, not being further specified, can always be integrated, this will only happen at full development cost and the delivery is still fully up to the purchaser of the software.
Digitask will also not take on any responsibility for use of the software or damage caused by it.
The high cost of governmental eavesdropping
The licensing model presented here relates to instances of installations per month for a minimum of three months. Each installation of the Skype Capture Unit will cost EUR 3500, SSL interception is priced at EUR 2500. A one-time installation fee of EUR 2500 is not further explained. The minimum cost for any installation on a suspect computer for a comprehensive interception of both SSL and Skype will be EUR 20500, if no more than one one-time installation fee are required.
Software versus bulletproof vests?
The letter gives a tabular overview of the cost, interestingly including the proxy server to disguise police officers identity. After stating that no law currently clearly regulates these costs, and concentrating on various legal aspects of this statement, it is declared that all cost for hardware and software obtained needs to be covered by the well-known tight German local police budgets. Based on a decision taken by the State Ministry of the Inner and the State Ministry of Justice, this includes all costs for acquisition and further maintenance of any technical equipment.
To see the original document in German: