Wednesday, 16 July 2014

How skype network works


When you run skype binary, following network actions is made:

Step 1. Login stage.

Skype binary checks if saved profile exists, and try to find private/public keys and skype issued certificate in it (also called credentials).

If its first run (i.e. no profile in %APPDATA%/skype/ found), skype do generation of private/public RSA keypair 1024 bits (128 bytes or 0x80 in hex) long.

Then, its make connection to skype 'login' servers. And send skypename, MD5(password) bytes, and you public key. If authorization OK, skype will issue personal certificate for you skypename and public key. This is 0x104 bytes array signed by skype network public key, also known as CA (certification of authority) in PKI (Public Key Infrastructure). Getting we skype signed certificate means that you now successfully "login" in skype network.

By the way, certificate will be issued on 30 days only. So, after that 30 days, you MUST login again (i.e. get new skype signed certificate).

Skype User Certificate Example:

Crypted form:
Len: 0x00000104
00 00 00 01 A7 CF DF F5 A9 69 80 2C 56 12 D5 8B  ;          i ,V   
4B B1 6A 51 0B F4 E1 69 47 96 89 2D 82 A2 16 B7  ; K jQ   iG  -    
19 C9 52 DF 08 84 0D 28 04 0F 10 6F 07 D4 FF 3E  ;   R    (   o   >
64 80 34 36 DC 25 5F 79 F1 7F 1C 4C 90 9C 03 E2  ; d 46 %_y  L    
EF 9D B9 C6 D9 52 55 D4 C0 FE 31 6E 08 EA FA C9  ;      RU   1n    
61 BB F8 DA F7 2E 8A 13 16 B2 12 7E 17 38 D7 13  ; a    .     ~ 8  
2E 85 1D 27 63 71 DD 48 A9 95 37 F6 FE 62 76 31  ; .  'cq H  7  bv1
F8 0E 5E 4B 1A 8C C2 F4 14 80 5E 96 1C CB 81 E7  ;   ^K      ^     
DC 5A F5 E7 D8 6D E7 9F F2 AD 77 A1 E1 A4 03 CF  ;  Z   m    w     
57 41 C6 61 82 D8 BF 24 7A 1F C4 23 08 DC C2 5A  ; WA a   $z  #   Z
63 79 95 FF 0B 3E 1E F8 7A 6C 49 05 00 45 5E DD  ; cy   >  zlI  E^ 
AB 9F 19 F6 50 D1 4A B9 02 92 C5 62 6E 27 44 DC  ;     P J    bn'D 
68 06 09 FD 1D 6E C1 C0 0F 3D 90 E4 1A F9 DE 46  ; h    n   =     F
5B 27 B6 9F 48 AC B4 1A 95 92 8C 7D E2 9D A3 A7  ; ['  H      }    
C7 06 95 2A FC D3 86 C3 46 4E 7E 9F F8 A6 2C E9  ;    *    FN~   , 
5D 94 FC 95 CC C0 83 84 C0 40 35 DD A0 72 6B 78  ; ]        @5  rkx
7C 26 3E 68 

Uncrypted (unsigned) form:
Len: 0x00000100
4B BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB  ; K               
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB  ;                 
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB  ;                 
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB  ;                 
BA 41 05 03 00 74 68 65 6D 61 67 69 63 66 6F 72  ;  A   themagicfor
79 6F 75 00 00 03 00 04 01 80 01 D8 81 DE 8F 79  ; you            y
18 DD FE 68 46 80 D7 D0 EB 0C 0A AA F3 ED AC A9  ;    hF           
A4 66 7B 7C FF 16 C3 5A 65 DB A9 7C A2 D6 B7 11  ;  f{|   Ze  |    
E1 FF A3 EE 85 DF F1 0D 47 5E 31 E7 F2 91 62 20  ;         G^1   b 
07 00 6B 18 31 B7 50 C7 21 F4 CB 6E 5E 51 CE FD  ;   k 1 P !  n^Q  
53 16 87 03 FB 2E C0 96 DD FD 7E 2D B4 BC C4 A4  ; S    .    ~-    
2D 0E 52 9A 2B BE CC 34 DC 9C 17 EB E3 83 1F 55  ; - R +  4       U
13 75 FF D0 F1 08 A7 8F FF 81 D5 C6 95 39 12 F0  ;  u           9  
F0 27 F5 21 FA D8 94 65 52 DE F5 00 04 D7 CC 97  ;  ' !   eR       
0B 05 02 41 01 00 09 B7 85 B5 0B C7 7E 39 13 F3  ;    A        ~9  
D3 C3 47 D2 A0 D6 79 55 AD 3F 62 BD 53 79 FD BC  ;   G   yU ?b Sy  

Restored RSA certificate object (blobs) data:
remote credentials:
{
03-00: "themagicforyou"
00-03: 00 00 00 00
04-01: 128 bytes
0000: D8 81 DE 8F 79 18 DD FE 68 46 80 D7 D0 EB 0C 0A | ....y...hF...... |
0010: AA F3 ED AC A9 A4 66 7B 7C FF 16 C3 5A 65 DB A9 | ......f{|...Ze.. |
0020: 7C A2 D6 B7 11 E1 FF A3 EE 85 DF F1 0D 47 5E 31 | |............G^1 |
0030: E7 F2 91 62 20 07 00 6B 18 31 B7 50 C7 21 F4 CB | ...b ..k.1.P.!.. |
0040: 6E 5E 51 CE FD 53 16 87 03 FB 2E C0 96 DD FD 7E | n^Q..S.........~ |
0050: 2D B4 BC C4 A4 2D 0E 52 9A 2B BE CC 34 DC 9C 17 | -....-.R.+..4... |
0060: EB E3 83 1F 55 13 75 FF D0 F1 08 A7 8F FF 81 D5 | ....U.u......... |
0070: C6 95 39 12 F0 F0 27 F5 21 FA D8 94 65 52 DE F5 | ..9...'.!...eR.. |

00-04: 57 E6 65 01
05-02: {
00-09: B7 42 6D 01
}
}

You can compare it with these well known certificate standard Sample_X.509_certificates, if curious.


In this cert data the "57 E6 65 01" (0x0165E657) its posix time in MINUTES (i.e. time(NULL) / 60). So we get:

00-04 (Expire Time): 0x0165E657
Cert expire time: 1407319140
Wed Aug 06 13:59:00 2014

00-09 (Created Time): 0x016D42B7
Cert created time: 1404727140
Mon Jul 07 13:59:00 2014

And 128 (0x80) bytes of our ("themagicforyou" in this example) public key. Some "00-03: 00 00 00 00" blob is version or CRL (certificate revocation list) marker.

Step 2. Loading contacts.

Still not reversed yet. But my guess, skype do connect to especially created 'event' servers and just ask for contact list for given skypename.

Step 3. Network search.

Now, we should check somehow all users in our contacts for understand who is online and who is not. For this, skype make requests to supernodes (or maybe also event-servers, there is also not much code reversed) and just ask "gimme VCARD for this skypename user".

VCARD - is 27 bytes (0x1B) long special array which contain unique for each hardware skype-device-id, and last known ip-s and ports of supernode below to user, user public ip and port, user internal ip and port. And also its contain status of this VCARD - actual, expired, dead etc.

So, skype just check VCARDs for all users in contact list and detect users with VCARD active (online) flag. Optionally, it may try to connect to all users for check if VCARD information is correct and this supernodes and public ip of user is up and accepting connections.
And also if connection accepted, skype binary may check for new messages for our user, which may be in delayed status in others skypes.

Step 4. Sending the message.

When we known remote skypename (from contact list), remote ip and port (from VCARD we got) we can send message to other skype user.

So, we just connect, setup session with crypto initialization (RC4 with DH_384 handshake + RSA for secret key exchange + AES stream cipher), and sending blobs (some object-structure data) with our message. Message itself, just as message headers and message unique chatid will be additionally signed by our RSA public key. Signed, but not crypted (because all stream session crypted), just for identification purposes, i guess.

Thats all. So, now you know how to skype network works :)

P.S. Don't forget to donate if you like idea about making open source 'skype compatible' protocol for all.

2 comments:

  1. now all 3rd party instant mesenger clients (IM+, Trillian, etc.) are having problems with skype connection.... if you would help to fix this issue you would receive a great number of happy users :)

    ReplyDelete