Skype Addresses Vulnerabilities
Opinion: The VOIP provider promotes its security only to be hit with reports of high-risk flaws in its software.Poor Skype. They started out last week with the best of intentions, releasing what they called an independent security evaluation of their VOIP product, and ended up with egg on their virtual faces as high risk security vulnerabilities came to light. Skype, based in Luxembourg, has positioned its VOIP product as superior to any one elses in the field because the voice data is encrypted. Since Skype hasnt made its encryption scheme public, this has led to some questions on just how secure it is (and how much of a Calera backdoor was built in.) The author of the report, Tom Berson of Anagram Labs, is well respected in the security field and would seem to be a good choice to author such a reassuring effort. Bersons report was just short of effusive about Skypes security, citing their use of cryptographic primitives like "the AES block cipher, the RSA public-key cryptosystem, the ISO 9796-2 signature padding scheme, the SHA-1 hash function, and the RC4 stream cipher. I looked at the Skype implementation of each of these, and verified that each implementation conforms to its standard and interoperates with reference implementations."
But upon further examination, there were lots of specifics to quibble about. For instance, the RSA crypto in Skype uses a 1024-bit key. There has been much recent work in the crypto field on the relative ease of breaking such a key. This does not engender trust.