Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.
This quote really makes sense to an encryption expert. If:
- I am to trust what Skype say here
- Skype actually implemented what they say they did
- Skype’s implementation is correct
- Skype’s implementation is bug free
then this encryption is pretty good considering today’s standards.
But there’s no way for me to know. Skype, being closed-source, won’t let me look at their encryption code. As far as I know they might not be encrypting at all, or might doing so in a way that is vulnrable. I have absolutely no way to verify that their encryption is worth anything. For all intents and purposes, my Skype call is considered clear-text, because for all I know it might as well be so.
It all comes back to Trust. If you trust Skype, you can accept that your calls are encrypted. If you don’t (and frankly I have no reason to trust them) you cannot treat Skype conversations as encrypted.
[Originally posted in my blog -- Arik]
Update October 22nd:
In a strange coincidence, Skype just came out with this blog entry about an outside review of their system.
While this is laudable, I cannot see how this improves the security of their system. For all we know, the evaluation may be accurate for the piece of source code analyzed – but we know absolutely nothing on the security of the piece of binary that runs on our system. We can’t look into its code, nor can we do black-box testing with an interoperable client. We need to take them on their word that the security evaluation actually relates to the code running on my computer. We still need to trust Skype that this holds true.