Skype Logo Take a deep breath™.
Buy Skype Credit · Help ·
  • Download
  • Use Skype
  • Business
  • Shop
  • Account
Jaanus

Skype security and encryption review now available

By My status Jaanus on October 21, 2005 in Reviews and news.

Ever since Skype was launched, we have said it is, and will remain, secure. Your Skype-to-Skype calls, chats and other communications are end-to-end encryped.

What sometimes happens is that after claiming this, we get asked "you say you're secure... so prove it". That's a valid question -- anyone can claim anything about their own product. We have recognized that you want more assurance than we say ourselves. So we did a comprehensive external security review of Skype, focusing on its encryption methods.

We're happy to report that the work is now complete and you can [download the full report](http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf) from [Skype security center](http://www.skype.com/security) ([PGP signature](http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf.sig)). There's also an [executive summary](http://share.skype.com/images/stories/images/blog/products/2005-031 security evaluation execsum.pdf) available. Note that while the full report was compiled by [Dr. Tom Berson](http://www.anagram.com/berson/index.html) from [Anagram Laboratories](http://www.anagram.com/), the summary is written in-house by Skype based on the full report.

In short, the conclusion of the report is that Skype uses standards-based methods and a sound design to secure its users, software and system, and does what it says -- is secure. Of course, security is never "done", so security continues to be an important track in all Skype developments and operations.

Who are Tom Berson and Anagram anyway? In [their own words](http://www.anagram.com/):

> Anagram Laboratories is an information security consultancy based in Palo Alto, CA. Anagram was founded in 1986, back before information security was cool. Dr. Thomas A. Berson, Anagram's owner, has more than 35 years experience in cryptology and computer security.

Tom is a long-time veteran information security expert widely respected by his peers in the security industry. This is a standard method of doing this type of research -- you don't just want to get anyone "off the street" to do it for you because the name is unknown in the industry and the quality cannot be trusted. Our selection process for finding the right person and company to do the Skype security review started more than a year ago, and we're happy to have ended up working with Dr Berson.

As Skype and its software and services evolve, so does the need for security and similar reviews. This won't remain the last one, but we're happy to get our security review process off the ground with this report.

View blog reactions

Comments

I travel to the Middle East for business and use Skype to keep in touch with family and friends in the UK and worldwide. Now the Middle East has always had problems with Skype and other VOIP applications because it removes revenue from the mainly goverment owned telco's. Some of these countries block the websites of VOIP companies to stop downloading software and recharging accounts, through the use of a country proxy. It seems that this may be stepping up a gear as I was reading a newspaper article recently in which one of these countries is purchasing software to actually block Skype calls and the reason cited was Skype's use of encryption. Is this something that Skype or any users are aware of in the Middle East or anywhere else in the world?

chrisvenemore | Monday, Feb 27

Hi Every one
I am new to this forum. Please execuse me if I am asking a question in the wrong place.
I have an unlocked SIP Phone and would like to use it with Skype. How I can configure it to work with Skype, if that is possible?.
Appreciate any help
aaati@maktoob.com

abdulati123 | Wednesday, Mar 1

In an article on Phil Zimmerman, the New York Times reported that there are several security problems in Skype:

"But at a conference last week in Cyprus, German officials said they had technology for intercepting and decrypting Skype phone calls, according to Anthony M. Rutkowski, vice president for regulatory affairs and standards for VeriSign, a company that offers security for Internet and phone operations."

What is being done about these security problems?

mbizer | Monday, May 22

WATCH OUT; though the Skype encryption will leave third parties out of listening, it won't let out Skype or people skype allows. Compare it to sending a letter that only postal services can open.
The security is unexisting if users can't: decide what encryption they want to use (ie. make their own encryption) if Skype has a specific function to remove the encryption (even if it's only meant for a small group)

Nomatter if you agree or disagree with US politic situation, your Skype call is only encrypted to some people.

twopeak | Monday, Jun 12

I have a question about the skype security that i seem to be missing in the full report.

Tom Berson describes how the messages are being encrypted using the RSA algorythm and how private and public keys are created.

But what he fails to mention (correct me if i am wrong) is where the PRIVATE KEY is kept ...

It is all nice and clear except for the fact that I don't understand where the RSA Private Key that is used to decrypt messages are kept.

If skype was secure as he confirms, the private key should be kept on the client's computer. But then, how is it possible that i can sign in from another computer without the private key that is supposedly kept on my home computer???

If its kept on the server, then what good is it at identifying the person who is connecting.

I dont get this part at all. I am not trying to cause problems, i would like some technical person to explain this.

thank you.

mailien_mrgreen | Wednesday, Sep 13

Several people on my list have been receiving phone calls. One phone number was exactly that, a phone number in my Contact list.

Kounetsu_X | Sunday, Nov 26

mailien_mrgreen, it is simply because the private key is generated in your computer each time you log in correctly. Therefore it doesn't matter where you are, as long as you know the right user/password combination.
Please research a little bit about encryption algorithms.

toronja.loca | Friday, Feb 22

Comment on this post

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Skype Blogs
  • Share Skype Blog
  • About Skype
  • Heartbeat
  • Developer Zone
  • Business
  • Jobs
  • Skype Prime
  • Skype Gear
  • Security
  • Garage
  • Mac
  • Linux
  • Eesti keeles
  • Töökuulutuste leht
  • 日本語
  • Česky
  • Deutsch
  • Français
  • Italiano
  • Brasil
  • United Kingdom
  • Svenska
  • Polski
  • United States

Recent posts

  • Skype misidentified as malware
  • Trojan downloader alert
  • Skype cross-zone scripting vulnerability now fixed
  • (Resolved) Skype Cross Zone Scripting Vulnerability
  • Vulnerability in Skype for Windows versions older than 3.6.x.216
  • Password stealer
  • Fake malware alert
  • Skype for Mac on Leopard
  • Updated: Malware alert
  • Skype Defender malware alert

Archives

  • April 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • February 2007
  • January 2007
  • December 2006
  • May 2006
  • March 2006
  • February 2006
  • October 2005
  • May 2005

Subscribe to this blog
What? Tell me more…

using RSS Subscribe
via Bloglines Subscribe in Bloglines
using Newsgator Subscribe in NewsGator Online
with MyYahoo
with Google Add to Google
with MyAOL Add to My AOL
with netvibes Add to Netvibes
About us · Partners · Jobs · Prices · Security
Privacy policy · Legal · © 2008 Skype Limited