Wednesday, August 6, 2008

Why it is difficult to block skype protocol?


In recent some years the popularity and usability of skype increase rapidly among the user, thanks to its ability to negotiate firewalls, network address translation and other barriers. This ability of skype has made the life of system administrator more miserable and raised some security concern. How difficult is to block the skype can be easily guess by the fact that even with the huge popularity, till date, there are very few applications or firewalls which support blocking of skype.

Why it is difficult to block skype protocol?

1> Random port:
A Skype client randomly choose the port number, including the HTTP port (80) and HTTPS port(443), to listen for a TCP and a UDP connection. Therefore any rule to block traffic on any particular port does not work for skype.

2> Host Cache:
Skype Client builds and refreshes the host cache (HC) regularly। This host cache contains the list of super node IP address and port which act as skype server. As the Host Cache entries keeps on changing, any rule based on IP address also does not work.


3> Encryption :
Skype uses AES (Advanced Encryption Standard) with 256 bit encryption. Because of 256 bit encryption, the number of possible keys, to actively encrypt the data in each Skype call or instant message, are huge( 1.1 x 1077). Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys.


4> Nat and Firewall:
Skype Client uses a variation of the STUN (Simple Traversal of UDP the NAT) and TURN (Traversal Using Relay NAT) protocols to determine the type of NAT and firewall it is behind. This ensure that it reach the internet.

How to block skype?

So is there any way to block the skype protocol in a network? Yes, the only way to achieve it by inspecting the packets containing the skype traffic and identifying the skype signature. But as the skype is a encrypted protocol, it is not very easy to do so even by packet inspection. The only place it can be identify and block, is at the time of login. Once the login is over it is very difficult to distinguish between packets of the skype or other HTTPS packets.

at 1:25 AM
Labels:

1 comments:

Anonymous said...

hmm..interesting keep me posted
Now I know why only Skype is working in my office and not others.
Why does porn site did not do things Skype is doing? What you think? ;)

- Satish (F.C.)

August 7, 2008 5:20 PM

Post a Comment

Subscribe to: Post Comments (Atom)