Lecture 20, May 15

Reading: § 9.4, 10.1–10.4, 10.6

Discussion Problem. The terms of service for Skype say that the company (Microsoft) can read anything sent over the IM service that Skype provides. Yesterday, a news report said that an administrator noticed some unusual network traffic after a Skype IM session — the traffic indicated an attacker was replaying something. The administrator looked further, and found out that the traffic came from an IP address associated with Microsoft, and it accessed a HTTPS URL that had been sent in the previous IM session. Upon hearing this, another group created a web server running HTTPS with a login, and then sent two HTTPS URLs, one with login information pointing to the web server and the other to a private cloud-based file sharing service that it owned. Both URLs subsequently received a visit from an IP address associated with Microsoft (using the login and password information).

When asked, Microsoft pointed to this passage in their data security policy: “Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links”, and Microsoft confirmed it does scan messages to filter out spam and phishing sites.
(The information here is taken from “Skype With Care — Microsoft Is Reading Everything You Write”, The H Security (May 14, 2013); available at http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html.)

What do you think of this approach in general? Also, given the circumstances of this particular situation (transmitting web pages in an encrypted form), do you think that Microsoft’s approach is approach?

Lecture outline.

  1. Project information
  2. Key Exchange
    1. Needham-Schroeder and Kerberos
    2. Public key; man-in-the-middle attacks
  3. Key Generation
    1. Cryptographically random numbers
    2. Cryptographically pseudorandom numbers
    3. Strong mixing function
  4. Cryptographic Key Infrastructure
    1. Certificates (X.509, PGP)
    2. Certificate, key revocation
  5. Digital Signatures
    1. Judge can confirm, to the limits of technology, that claimed signer did sign message
    2. RSA digital signatures: sign, then encipher

You can also obtain a PDF version of this. Version of May 15, 2013 at 10:21PM