Noted crypto expert performs detailed Skype vulnerability analysis
Those in the VoIP community who are critical of Skype are numerous in their number and loud in their derision of the utility as not secure.
With 35 years as a cryptographer, Tom Berson of Anagram Laboratories writes that he is "professonally skeptical about the security of almost anything, especially of a system which is as adept as Skype at getting through typical network defenses."
In April, 2005, Berson had already been a Skype user for eight months when the company asked him to perform a thorough analysis of the Skype cryptosystem.
Berson's 14-page report explores various exploitation scenarios, discusses which are feasible, and which are not. He considers such possibilities in light of the Skype Key Agreement Protocol, which forms the heart of Skype's key cryptography.
The expert explores just how vulnerable Skype is to man-in-the-middle, replay, password guessing, CRC checksum, side-channel, and ASN1 attacks.
Here's Berson's "Bottom Line" verdict:
"I started as a skeptic. I thought the system would be easy to defeat. However, my confidence in the Skype grows daily. The more I find out about it, the more I like."In 1998 I observed that cryptography was changing from expensive to cheap, from arcane to usual, from difficult to easy, from scarce to abundant. My colleagues and I tried to predict what difference, if any, abundant cryptography might make in the world. What new forms of engineering, business, economics, or society would be possible? We did not predict Skype. But, now that I am coming to know it well, I recognize that Skype is an early example of what abundant cryptography can yield.
"The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments.
"Beyond errors in the cryptosystem, I have also looked for back doors, Trojans, overreaching “debugging” facilities, etc. I did not find any hints of malware in the portions of the Skype code I reviewed."
If you are skeptical of Skype security, I suggest you read Berson's analysis. Then, why not come back here and TalkBack to us about whether his paper has changed your mind.