Dear Skype,

You need to add some hard, plugin-based, client-side encryption, based on symmetric algorithms and not only based on the existence of some still unsolved mathematic problems. We can assist you with that, as we have 12 years in security, our customers being Nokia, Motorola, Accenture, ...

Have a nice day, I'm looking forward to skyping...

Kind regards
SCR Consulting A/S
Technical Director
David Svarrer

I'd say a decent public plugin API would be the way to go. Of course, most people don't have the need (nor CPU power) for real-time military grade encryption; but having the option to add it as a 3rd party plugin wouldn't hurt.

You say that as if you have some knowledge of the encryption used in skype, and find it lacking.

Care to share?

What's wrong with AES-256 used by Skype?

Erik

The encryption they are using in Skype is good, but their documentation leaves out one important thing. It says it uses RSA to encrypt and exchange AES keys between users. What it does not say is if every user has their own pair of RSA keys or not. It sort of implies it, but does not come right out and say it.

If Skype generates a set of RSA keys for each user on their own computer, and only exchanges public keys while the secret key is kept private, that is fine.

If Skype uses an embedded set of RSA keys, then they control, the secret key and could possibly give it up to some government authority via a court order, etc.

It would be nice if one of the Skype developers would clear up this matter.

yes, that's exactly the case.

- jaan

The RSA is not a "still unsolved mathematic problem". The mathematics behind it is very well-documented.
RSA private keys can "calculated" through systematic guessing. The point is that the time consumption makes it impossible to solve when the keys are 256 bit. It would take millions of years for a modern computer to solve the problem.
That is in my opinion good enough. I will probably have bought a new computer by then anyway...

Thank you very much for clearing that up. Much appreciated.

A related question: how can a user verify that the public key in use is really the right one? Is there some facility for verifying key fingerprints, or for signing of public key certificates?

Is there a document somewhere that describes the overall security architecture of the system? What I've found so far on your website is fully buzword-compliant but doesn't have enough detail for me to feel comfortable using skype for business purposes.

So... If I use Skype on 3 different machines with same user... Do I have 3 different RSA keys? If not, how are they shared (how is the public key shared between machines)? If it is not shared, then how can you trust that on each machine it is really me? How can I backup my RSA key-pair? How can I manually exchange my public key to somebody out of band, and verify that the key they have is really mine?

Also... care to explain how you use AES? Is it in CBC mode? How do you generate IVs?

Care to explain how the key exchange is done? How often they get re-generated?

What random algorithm do you use on machines that don't implement a random number generator?

How do I test that the stream of data that is exchanged between 2 Skypes is really encrypted as is claimed? Do you have test-vectors that I can use / compare?

Lack of documentation makes these questions, today, not very easy to answer... and prove to be blocking for SOME (not ALL) enterprize deployments.

Gilles.

trask: the public keys are signed by skype server at the logon, thus certifying that this particular key belongs to this particular user indeed.

re doc: no, at the moment there is no seurity doc (nor audit). it just hasn't been a priority so far.

ggravier: yes, each installation will have different RSA keys. you can't do anything manually. to rest of your questions i'm not qualified to answer.

- jaan