Skype protocol, skype connect algorithm, authentication servers and ports
No commentsHere because I dont wonna a forget it.
Protocol
A Skype network is a peer-to-peer network with three main entities: supernodes, ordinary nodes and the login server. It is an overlay network: each client builds and refreshes a list of reachable nodes known as the host cache. The host cache contains IP address and port numbers of supernodes. Communication is encrypted using RC4; the method used does not provide any privacy but instead merely obfuscates the traffic.
So, abbreviatures for host cache is HC , Skype Client is SC and Skype Network is SN
Login Algorithm
A Skype client authenticates the user with the login server, advertises its presence to other peers, determines the type of NAT and firewall it is behind and discovers nodes that have public IP addresses.
To connect to the Skype network, the host cache must contain a valid entry. A TCP connection must be established (i.e. to a supernode) otherwise the login will fail.
Connection Algorithm
1. start
2. send UDP packet(s) to HC
3. if no response within 5 seconds then
4. attempt TCP connection with HC
5. if not connected then
6. attempt TCP connection with HC on port 80 (HTTP)
7. if not connected then
8. attempt TCP connection with HC on port 443 (HTTPS)
9. if not connected then
10. attempts++
11. if attempts==5 then
12. fail
13. else
14. wait 6 seconds
15. goto step 2
16. Success
After a Skype client is connected it must authenticate the username and password with the Skype login server. There are many different Skype login servers using different ports. An obfuscated list of servers is hardcoded in the Skype executable.
Skype Authentication Servers
Skype servers are: “dir1.sd.skype.net:9010″, “dir2.sd.skype.net:9010″, “dir3.sd.skype.net:9010″, “dir4.sd.skype.net:9010″, “dir5.sd.skype.net:9010″, “dir6.sd.skype.net:9010″, “dir7.sd.skype.net:9010″, “dir8.sd.skype.net:9010″ “http1.sd.skype.net:80″, “http2.sd.skype.net:80″, “http3.sd.skype.net:80″, “http4.sd.skype.net:80″, “http5.sd.skype.net:80″, “http6.sd.skype.net:80″, “http7.sd.skype.net:80″, “http8.sd.skype.net:80″ Skype-SW connects randomly to 1-8.
On each login session, Skype generates a session key from 192 random bits. The session key is encrypted with the hard-coded login server’s 1536-bit RSA key to form an encrypted session key. Skype also generates a 1024-bit private/public RSA key pair. An MD5 hash of a concatenation of the user name, constant string (”\nSkyper\n”) and password is used as a shared secret with the login server. The plain session key is hashed into a 256-bit AES key that is used to encrypt the session’s public RSA key and the shared secret. The encrypted session key and the AES encrypted value are sent to the login server.
On the login server side, the plain session key is obtained by decrypting the encrypted session key using the login server’s private RSA key. The plain session key is then used to decrypt the session’s public RSA key and the shared secret. If the shared secret match, the login server will sign the user’s public RSA key with its private key. The signed data is dispatched to the super nodes.
Upon searching for a buddy, a super node will return the buddy’s public key signed by Skype. The SC will authenticate the buddy and agree on a session key by using the mentioned RSA key.
Network Packets
UDP packets:
IP
UDP
Skype SoF
Skype Crypted Data01The Start of Frame (SoF) consists of:
frame ID number (2 bytes)
payload type (1 byte)
obfuscated payload
Ack/NAck packet
payload forwarding packet
payload resending packet
other
Obfuscation LayerThe RC4 encryption algorithm is used to obfuscate the payload of datagrams.
The CRC32 of public source and destination IP, Skype’s packet ID are taken
Skype obfuscation layer’s initialization vector (IV).
The XOR of these two 32 bit values is transformed to a 80-byte RC4 key using an unknown key engine.
A notable misuse of RC4 in skype can be found on TCP streams (UDP is unaffected). The first 14 bytes (10 of which are known) are xored with the RC4 stream. Then, the cipher is reinitialized to encrypt the rest of the TCP stream.[4]
TCP:TCP packets:
TCP
Skype Init TCP packetThe Skype Init TCP packet contains
the seed (4 bytes)
init_str string 00 01 00 00 01 00 00 00 01/03
Low Level Data:
Low-level Datagrams:
Almost all traffic is ciphered. Each command has its parameters appended in an object list. The object list can be compressed.
/ Object List … -|
Enc -> Cmd -> Encod
^ \ Compressed List … -|
Frag | |
|——————<—————|
Ack
NAck
Forward -> Forwarded..Message
Object Lists
An object can be a number, string, an IP:port, or even another object list. Each object has an ID. This ID identifies which command parameter the object is.
Object:
Number
IP:Port
List of numbers
String
RSA key
Object List
List Size (n)
Object 1
.
.
Object n
Packet compression
Packets can be compressed. The algorithm is a variation of arithmetic compression that uses reals instead of bits.
Wednesday, September 9th, 2009 at 1:09 pm and is filed under z-A usefull - HowTos and Tutorials. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.