As everybody know, security is the most concern point to choose a IM/P2P application. Refer to my post of Top Ten Concerns to Skpye, many uncertainties make a number of enterprise IT managers and professionals hesitate to use Skype. Two days ago, Skype published a security whitepaper to explain the security concerns, for full version, click here.
The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments.
Beyond errors in the cryptosystem, I have also looked for back doors, Trojans, overreaching “debugging” facilities, etc. I did not find any hints of malware in the portions of the Skype code I reviewed.
The whitepaper seems to be published not officially, rather, published from a free investigator/researcher perspective. It covers mainly what cryptographic algorithm used in Skype, and how to exchange private/public keys between communication parties, and how to defend against cryptographic attack, while it doesn’t address other concerns from telecom operators and enterprise IT managers, for an instance, how to identify/control/audit the Skype clients and their usage. I am afraid that it only help assure those personal professionals to believe Skype.
Other important papers on skype security include:
- “An Analysis of the Skype Peer-to-Peer Internet Telephony protocol”, by Salman A. Baset and Henning Schulzrinne, click to download.
- “VoIP and Skype Security”, by Simson L. Garfinkel, click to download.