Encryption Question - What exactly is encrypted in TS3?

[smithers33]

I've been researching this for a few days and haven't been able to find a satisfactory answer so here goes. What exactly IS and IS NOT encrypted when using teamspeak3? I understand that public key cryptography is in use to uniquely identify users but is that public/private key also used to encrypt any of the following?

Text chatting in a channel?
Private person-to-person text chats?
File uploads and downloads from the file vault? (cool feature)
VOICE - (I know this is encrypted, and have enabled the specific checkbox)

I'd greatly appreciate an answer if anyone knows. Thanks in advance

[smithers33]

55+ views and no replies? Did I ask in the wrong forum? I'd love to keep using and recommending TS3 as a secure chat solution but i'm having trouble doing so in good conscience until i get something of a formal answer. Why is this such a mystery?

[copper]

55+ views and no replies? Did I ask in the wrong forum? I'd love to keep using and recommending TS3 as a secure chat solution but i'm having trouble doing so in good conscience until i get something of a formal answer. Why is this such a mystery?

Answer: Read http://www.catb.org/~esr/faqs/smart-...ons.html#intro [Short Version: You are smart enough to find answers yourself.]

You have piqued my interest though. I have done some surface testing. Nothing big, I assure you.

So, I have tested text chatting to the server (to the channel and private messaging should be similar), file upload (download should be similar), connection, disconnection, and voice without encryption.

Testing Environment: TS3 RC-1 Server running on 127.0.0.1 (localhost), TS3 RC-2 Client connecting localhost.

I am very happy at the result I got.
Connection, Disconnection, Text Chatting: All I got are unreadable data, which doesn't have any indication of my identity and unique ID. It could be that they are encoded with a reversible retrieve algorithm (I haven't tested against encodes), but they are definitely not readable with naked eye.

Voice: I don't know how to decode voice anyway, so it is unreadable to me even if it is not encrypted. Though I suppose you could use the framework to decode it.

File transfer: Readable with naked eye (i.e.: NOT encrypted). I basically uploaded a text file, looked like this:

Code:

testing first line
testing second line

One of the segment looked like this:

Code:

632	179.908258	127.0.0.1	127.0.0.1	TCP	56146 > 30033 [PSH, ACK] Seq=33 Ack=1 Win=277640 Len=38 TSV=166365319 TSER=166365319

Code:

EZ2@@RuQ8VY#&<N
		testing first line
testing second line

TS3 Server Admin Query (NOT encrypted) [This is exactly what I suspected, since telnet isn't encrypting anything. This is also why I disabled TS3 Query connection from anywhere but localhost. If you are concerned about security like me you should probably never remote login as serveradmin through TCP query. A webinterface with HTTPS protocol may be a good alternative to consider.]
Some segments I captured from localhost:

Code:

0000  02 00 00 00 45 00 00 c6  fd ad 40 00 40 06 00 00   ....E... ..@.@...
0010  7f 00 00 01 7f 00 00 01  27 1b db e9 43 7b fe c4   ........ '...C{..
0020  02 67 c5 a6 80 18 ff ff  fe ba 00 00 01 01 08 0a   .g...... ........
0030  09 ea af 54 09 ea af 54  57 65 6c 63 6f 6d 65 20   ...T...T Welcome 
0040  74 6f 20 74 68 65 20 54  65 61 6d 53 70 65 61 6b   to the T eamSpeak
0050  20 33 20 53 65 72 76 65  72 51 75 65 72 79 20 69    3 Serve rQuery i
0060  6e 74 65 72 66 61 63 65  2c 20 74 79 70 65 20 22   nterface , type "
0070  68 65 6c 70 22 20 66 6f  72 20 61 20 6c 69 73 74   help" fo r a list
0080  20 6f 66 20 63 6f 6d 6d  61 6e 64 73 20 61 6e 64    of comm ands and
0090  20 22 68 65 6c 70 20 3c  63 6f 6d 6d 61 6e 64 3e    "help < command>
00a0  22 20 66 6f 72 20 69 6e  66 6f 72 6d 61 74 69 6f   " for in formatio
00b0  6e 20 6f 6e 20 61 20 73  70 65 63 69 66 69 63 20   n on a s pecific 
00c0  63 6f 6d 6d 61 6e 64 2e  0a 0d                     command. ..

Code:

0000  02 00 00 00 45 10 00 3b  f6 c9 40 00 40 06 00 00   ....E..; ..@.@...
0010  7f 00 00 01 7f 00 00 01  db e9 27 1b 02 67 c5 a6   ........ ..'..g..
0020  43 7b ff 56 80 18 ff ff  fe 2f 00 00 01 01 08 0a   C{.V.... ./......
0030  09 ea af 6a 09 ea af 54  75 73 65 20 31 0d 0a      ...j...T use 1..

Code:

0000  02 00 00 00 45 00 00 47  65 db 40 00 40 06 00 00   ....E..G e.@.@...
0010  7f 00 00 01 7f 00 00 01  27 1b db e9 43 7b ff 56   ........ '...C{.V
0020  02 67 c5 ad 80 18 ff fe  fe 3b 00 00 01 01 08 0a   .g...... .;......
0030  09 ea af 6c 09 ea af 6a  65 72 72 6f 72 20 69 64   ...l...j error id
0040  3d 30 20 6d 73 67 3d 6f  6b 0a 0d                  =0 msg=o k..

Bottom line: Everything except file transfer and query seems to be safe. I recommend do TCP query through localhost. If you host it somewhere else, use ssh to remote machine, then telnet localhost 10011. This way you establish a security layer yourself, and get around the telnet's risk over Internet.

Warning: I haven't done decode tests, but since TS team did public/private key encryption, I don't see any problem on the connect/disconnect. I don't think the private chats matter all that much, or files for that matter. After all, FTP is still unencrypted. (Yeah, I know there's FTPES, SFTP, but there's no native client support in any modern OS)

P.S.: One decode test I did was against TS2 encode, and the new TS3's encode is, unsurprisingly, completely incompatible with TS2's.

P.S.: Additional Testing. Setting: Channel Voice Encryption = Globally On. File download is still not encrypted.

I understand that public key cryptography is in use to uniquely identify users but is that public/private key also used to encrypt any of the following?

I'm not a TS dev, but my guess is "no". Public/private key uses too much CPU power, and is generally suitable only at establishing connection to provide a session key. Session key would be transferred through this encryption on the Internet (generation of session key is another story that you can look up yourself.)

[Hippolytos Lugus]

I assume AES-256 is best choice due new intel processors support hardware accelerated AES. I have looked everywhere but this thread is closest answers. As I understand here is that everything except file transmission and voice is not encrypted. Voice encryption is an option? What type of encryption is used?

Please could any TS3 worker/programmer answer this questions. I think security is really important!

1. Exactly what is encrypted in TS3 and what is not?
2. And what type of encryption is used?
3. Is voice encrypted always or is it an option? Is the encryption AES-256 for voice?

Thanks in advance!

[SilentStorm]

Voice Encryption is optional and can be configured in the Edit Virtual Server -> Security Section. Options are: Configure per Channel, Always on, Always off. If the first Option (per Channel) is chosen you can enable / disable it for each channel in the Edit Channel -> Advanced Section.

[Peter]

1. Exactly what is encrypted in TS3 and what is not?
2. And what type of encryption is used?
3. Is voice encrypted always or is it an option? Is the encryption AES-256 for voice?

Filetransfer data is never encrypted. Voice data is configurable (you can configure it if you edit the virtual server, on a global level, or it can be configured on a per channel level), if you click on a channel you will see in the info pannel if voice data in this room is encrypted. Everything else is encrypted (all command data which includes text messages, passwords etc.). The encryption used is, as you guessed correctly, AES.

[Hippolytos Lugus]

Filetransfer data is never encrypted. Voice data is configurable (you can configure it if you edit the virtual server, on a global level, or it can be configured on a per channel level), if you click on a channel you will see in the info pannel if voice data in this room is encrypted. Everything else is encrypted (all command data which includes text messages, passwords etc.). The encryption used is, as you guessed correctly, AES.

Newer processors have support for hardware accelerated AES with a special circuit for this funcion so it wont sink down anything. Why isnt this always on for everything? It´s encrypting at 1,1 Gb/s even in filetransfers it wouldnt affect the speeds. For security reasons I recommend that encryption will be on always for everything as default, with no preferences to turn off. So I can feel safe when using TeamSpeak. What strength is used it is 256-bits keys in AES?

[SilentStorm]

According to a quick Google Search only Intel Core i5+ and AMD Bulldozer based CPUs have this Feature, Core i3 CPUs are lacking this Feature as are all older CPUs, which are quite common still, hence Performance would suffer if everything were to be encrypted.

Also in my opinion encrypting File Transfer would pretty much wasting resources (even if it is hardware accelerated), since seriously the file transfer is mostly used for pictures, documents, savegames and the like... The common User of TeamSpeak will most definately not transfer top secret Files through TeamSpeak Servers nor possess that kind of files. Files important enough would be heavily encrypted on it's own already thus pretty much eliminating the need to encrypt the transfer of them. That being said if you worry that much about your Files you can always just encrypt them yourself before uploading them.

As for Voice Encryption: It definately should be the Server Owner's choice whether he is willing to spent the CPU Power it takes to encrypt the Voice Data on the fly or not, plus you can check whether it is encrypted or not by just clicking the Channel and check the Infoframe.
Again the common TS3 User will most likely not talk about top secret Stuff which would need to be encrypted during transfer and nobody would care to go through the trouble of sniffing your TS3 Packets, extract the Voice Data, save them and listen to your conversation about your Holiday / Gaming Experience / Story of the last weekend / Party on a Public Server. If using TS3 in a company it would likely be an Internal Network only Server or otherwise prevented from accepting unauthorized Connections, so encrypting is not necessary either.

Even Text Messages wouldn't really need to be encrypted imho but I guess it was easier to run the whole sequence through the Encrypter than splitting command data from the actual text of the message and Text messages are short anyway so...

Long story short: I don't really see the need to encrypt the entire traffic TS3 causes.