14 DAY TRIAL // A cryptography expert and reverse engineer known as Sean O'Neil has released a C library, which he claims replicates the encryption scheme used by Skype in its communication protocol. There are reasons to believe that this code is already being abused to spam Skype users.
To protect the communication between its clients and severs against hackers and spammers, Skype uses an encryption scheme that is based on a highly modified version of the RC4 cipher. This security layer also prevents other developers from creating their own instant messaging clients that are able to communicate with Skype's network. However, this will be possible in the future via a public API.
Skype's encryption scheme has been one of the great reverse engineering challenges of the past decade and until now no one has came forth to prove that they broke it. "Skype enjoyed selling the world security by obscurity. We must admit, really good obscurity. I mean, really really good obscurity. So good that almost no one has been able to reverse engineer it out of the numerous Skype binaries. […] The time has come to reveal this secret," Sean O'Neil, the cryptographer who developed the EnRUPT cipher, announced on his blog.
Mr. O'Neil posted a link to a C library, which he claims is a replica of the "obfuscated Skype RC4 key expansion algorithm." Notes attached to the open source code reveal that it was released for research and educational purposes only. It is also explained that while the result might be identical to that of Skype's original library, this version's computation is unique and significantly different.
O'Neil states that the decision to release the code came after a portion of it was accidentaly leaked months ago and hackers began abusing it to spam Skype users. The cryptographer hopes that putting it out in the open will leverage the field by allowing security experts to review it and help secure Skype.
Skype has confirmed that the code can be used to launch spam attacks and is considering legal action against the reverse engineer. "We believe that the work being done by Sean O'Neil, who we understand was formerly known as Yaroslav Charnovsky, is directly facilitating spamming attacks against Skype and we are considering our legal remedies," part a statement released to TechCrunch, reads.
In the final paragraph of his post, O'Neil announced that more details about Skype's encryption scheme will be revealed at the 27th Chaos Communication Congress (27C3) in Berlin, which will be held in December. However, since then his blog was taken offline for reasons that remain unknown.
You can follow the editor on Twitter @lconstantin
