Schneier on Security: Who Does Skype Let Spy?

@ Pradyumna,

wonder if really would be al telephone network), I wonder if really would be al that hard to encrypt their voices themselves

Yes iit is quite difficult for a number of reasons.

Firstly the human voice is full of redundancy as are most languages. You can actually take out vowels swap them with different vowels and add extra vowels and with little difficult understand what is being said. Likewise quite a few consonants can be swapped removed or be added with no loss of intelligerbility.

Then you can do similar things with phonems because many languages are actually phonem insensitive.

For instance you want to see just how bad it can be, take a section of spoken audio strip the envelop and use it to modulate a section of music which has been amplitude limited. Guess what many people can hear the words and understand them. You can improve things a bit by spliting the spoken audio up into five or six spectral bands and use the envelops to those bands to modulate the spectrum split music. Now your music realy speaks to you and such a system is known as a vocoder and various bands used it the one most remember is the end of "Mr Blue Sky" from ELO, where in the dying moments a ninstrument quite clearly says "please turn me over" (originaly it was the last track on side A of the "LP Record" Album.

So lets assume you just compressed your digitised voice track (A-Law coded 12 to 8 bit is very common and easy to do) then used plain oldd ECB encryption well a simple analysis of what is in effect a substitution cipher recovers the audio envelope fairly easily which as I indicated kind of gives the speach content away...

So you need a codec that not only compresses the audio very well, it also breaks the statistics up quite well. Having done that you need to pick an appropriate cipher mode that not only deals with the audio, it has minimal delay and is very robust to the sorts of data transmission error you get on the Internet...

But... Most systems these days use an audio codec that uses a variety of CELP encoding invented by guess who? None other than the NSA (yup US spooks R US) if you go to Wiki and just type 'celp nsa' it will bring you up a lot about it.

The point is that NSA are schizophrenic in their mission, one side is tasked with protecting US communications the other with breaking others communications. You have to ask yourself a serious question is this system actually backdoored in a way the NSA can use? And based on their history I'd say assume so unless you can prove otherwise (which might be difficult).

So encrypting spoken audio is actually very hard to do way way harder than encrypting ordinary data files...

@ alanm,

What world are these people living in?

Sadly the real world of this moment with many many countires governments not just controlling communications but technology as well.

As I've noted above actually developing a secure system for audio communications is actually quite difficult, much more so than cobberling a few snipits of code you've managed to find on the Internet in places that have not been blocked.

In fact many of these countries get assicistance from US UK and other EU companies who are not only quite happy to help these governments monitor such traffic, but also to place booby trapped code up on servers so that what you download there may not be what the website owner actually put up.

As a general idea a good inteligable and timely codec can reduce the human voice to around 4800 bits per second. Most conversations last for atleast thirty seconds. How long do you think it would take to leak a 128 bit key in the 144000 bits sent in 30 secs it's in effect 1 bit in every 1125 bits sent. If this was hidden in a stream encryption system it would be very very difficult to find...

Sadly most of the people living in countries not in the first world have very limited access to anything remotly close to a modern PC. In fact due to the peculiarities of such things they are way way more likely to have access to a mobile or smart phone than a PC (North Korea being one such example)...