Skip navigation.
Home
zalex.name
Home

Skype protocol reverse engineering

by Salman A. Baset and Henning Schulzrinne

KEY COMPONENTS OF THE SKYPE SOFTWARE

A Skype client listens on particular ports for incoming calls, maintains a table of other Skype nodes called host cache, uses wideband codecs, maintains a buddy list, encrypts messages endtoend, and determines if it is behind a NAT or a firewall. This section discusses these components and functionalities in detail.

Ports

A Skype client opens a TCP and a UDP listening port at the port number configured in its connection dialog box. SC randomly chooses the port number upon installation. In addition, SC also opens TCP listening ports at port number 80 (HTTP port), and port number 443 (HTTPS port). Unlike many Internet protocols, like SIP and HTTP, there is no default TCP or UDP listening port. Figure 15 shows a snapshot of the Skype connection dialog box. This figure shows the ports on which a Skype listens for incoming connections.

Host Cache

The host cache (HC) is a list of super node IP address and port pairs that SC builds and refreshes regularly. It is the most critical part to the Skype operation. At least one valid entry must be present in the HC. A valid entry is an IP address and port number of an online Skype node. A SC stores host cache in the Windows registry at HKEY_CURRENT_USER / SOFTWARE / SKYPE / PHONE / LIB / CONNECTION / HOSTCACHE. After running a SC for two days, we observed that HC contained a maximum of 200 entries. Host and peer caches are not new to Skype. Chord, another peer-to-peer protocol has a finger table, which it uses to quickly find a node.

Codecs

The white paper observes that Skype uses iLBC, iSAC, or a third unknown codec. GlobalIPSound has implemented the iLBC and iSAC codecs and their website lists Skype as their partner. We believe that Skype uses their codec implementations.
We measured that the Skype codecs allow frequencies between 50-8,000 Hz to pass through. This frequency range is the characteristic of a wideband codec.

Buddy List

Skype stores its buddy information in the Windows registry. Buddy list is digitally signed and encrypted. The buddy list is local to one machine and is not stored on a central server. If a user uses SC on a different machine to log onto the Skype network, that user has to reconstruct the buddy list.

Encryption

The Skype website explains: “Skype uses AES (Advanced Encryption Standard) – also known as Rijndel – which is also used by U.S. Government organizations to protect sensitive
information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys. User public keys are
certified by Skype server at login.”

NAT and Firewall

We conjecture that SC uses a variation of the STUN and TURN protocols to determine the type of NAT and firewall it is behind. We also conjecture that SC refreshes this information periodically. This information is also stored in the Windows registry.
Unlike its file sharing counter part KaZaa, a SC cannot prevent itself from becoming a super node.

Read more...