How do countries block encrypted protocols like Skype?

Question

I can't make Skype calls outside of my country because they are blocked. As far as I understand, Skype uses strong encryption for the calls, thus, making Deep Packet Inspection unable to detect it.

If it's not DPI, then what it can be?

People I know suggested me to use VPN, but I can't understand why, because Skype implements encryption.

Are you sure Skype themselves aren't blocking you? They might block certain countries due to a US trade embargo. — thexacre, May 11 '14 at 12:31

Hello World · Accepted Answer · 2014-08-31T11:45:56.283

7

Payload encryption means they can't know what the communication content is, but in some cases they can still know what protocol you're using (In this case Skype). This is how countries block Tor, for example.

Methods to detect the protocol being used even if it's encrypted:

IP-based: TCP is not encrypted even if the payload is encrypted (So that computers can route your packets). The country can tell where the packets are going, and block them depending on their destination IP Address.

Port based: Same as above, but based on the destination port. For example: XMPP uses port 5222, if I block all packets connecting to port 5222, I block out XMPP even if it's encrypted (Unless users and servers use non-default ports)

Handshake based: Many (maybe all) encrypted protocols start the connection unencrypted, and then the two sides "shake hands", the handshake envolves sharing the cryptographic data needed in order to begin using encryption, so it isn't encrypted. Packet inspection can work here. For example, the first few packets of the https handhsake are unique, not encrypted and can be indetified.

VPNS are effective against all 3 methods mentioned above because they route everything through an already encrypted connection. TCP is wrapped by the VPN protocol and sent through the VPN Protocol. This means your country cannot see the destination IP, the port, or the handshake because it's all wrapped in an encrypted TCP connection originating from your machine and ending at the VPN server. However, your country might be blocking the VPN protocol in the first place. (Unlikely)

edited Aug 31 '14 at 11:45

answered May 11 '14 at 13:52

Hello World

242
4
15

Thank you. It is quite strange because Skype uses dynamic ports. Blocking IP addresses is not practical because Skype is P2P in case you are not behind NAT. I guess we're left with the handshake. – Mr.voip May 11 '14 at 14:06
1

Incorrect. Skype is not fully decentralized. Initially you connect to a central server (The login server), this server (or perhaps a handful of servers) has a specific IP address and port. If you're looking for real P2P, you might want to check out https://tox.im/. It's still a work in progress though! be warned. – Hello World May 11 '14 at 14:09
While this is out of the scope of your question, it might be helpful: You might want to consider avoiding the blockage by using another protocol, like XMPP. http://gajim.org/ is a voice supported XMPP client. – Hello World May 11 '14 at 14:13
That means that the destination IP is not the the IP address of the person I am talking to but Skype's server IP address? It's valid for the whole session or only at the beginning ? – Mr.voip May 11 '14 at 14:27
Upon login, you connect to the IP address of the Skype server and tell it "This is my username and password...", once the server approves you, it tells you the IP of your peer. If that first step is blocked, skype won't work. – Hello World May 11 '14 at 14:57
Also, I think (But I'm not sure) That the connection to the central server is persistent, so that it can notify you of friend rqeuests / friends going offline / friends going online. – Hello World May 11 '14 at 15:08
1

You can also simply block anything unknown, e.g. web, mail etc have all their known fingerprint (fixed ports or easily distinguishable with simple DPI) and then one could block the rest. – Steffen Ullrich May 11 '14 at 15:16

score 2 · Answer 2 · answered Jun 27 '14 at 14:24

To block VoIP, you don't need to know what the content is. VoIP packets do have certain characteristics/behaviour (length, frequency) that are identifiable with or without encryption, also known as Heuristic Classification. This pro-DPI article touches the surface: http://www.telecoms.com/39718/encryption-will-it-be-the-death-of-dpi/

Finn · Answer 3 · 2014-05-11T15:08:57.783

1

For making calls Skype is using the Voice Over Internet Protocol. Most probably the reason is that your ISP is blocking those VoIP packets.

I would suggest:

Try to use VPN.
Change the default Skype ports
Try to change the the transport protocol (UDP ? )
Try to do Voice over Tor network. Here you can read more about that: https://guardianproject.info/2012/12/10/voice-over-tor/

edited May 11 '14 at 15:08

answered May 11 '14 at 12:31

Finn

111
3

1

Why to use VPN if Skype calls are encrypted ? How does the DPI knows that I use Skype if the payload is encrypted ? – Mr.voip May 11 '14 at 12:53

How do countries block encrypted protocols like Skype?

3 Answers3

Linked

Related