Skype, the internet calling service recently acquired by eBay Inc, provides free voice calls and instant messaging between users.
Unlike other internet voice services, Skype calls are encrypted – encoded using complex mathematical operations. That apparently makes them impossible to snoop on, though the company leaves the issue somewhat open to question.
Skype is certainly not the first application for encrypted communications on the internet. Secure e-mail and instant messaging programs have been available for years at little or no cost.
But to a large extent, internet users have not felt a need for privacy that outweighed the extra effort needed to use encryption. In particular, e-mail programs such as Pretty Good Privacy have been considered too cumbersome by many.
And because such applications have had limited popularity, their mere use can draw attention. With Skype, however, criminals, terrorists and other people who really want to keep their communications private are indistinguishable from those who just want to call their mothers.
“Skype became popular not because it was secure, but because it was easy to use,” said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc.
A well-designed cryptographic
Luxembourg-based Skype was founded by the Swedish and Estonian entrepreneurs who created the Kazaa file-sharing network, which has been the subject of several court actions by the music industry.
Skype calls whip around the internet encrypted with “keys”, which essentially are very long numbers. Skype keys are 256 bits long – twice as long as the 128-bit keys used to send credit card numbers over the Internet.
The security is much more than doubled – in theory, Skype’s 256-bit keys would take trillions of times longer to crack than 128-bit keys, which are themselves regarded as practically impossible to break by current means.
“It is a pretty secure form of communication, which if you’re talking to your mistress you really appreciate, but if al-Qaida is talking over Skype you have probably a different view,” said Monty Bannerman, chief executive of Verso Technologies Inc.
His company makes equipment for internet service providers, including software that can identify and block Skype calls.
Security experts are not completely convinced that Skype is as secure as it seems, because the company hasn’t made its technology open to review. In the cryptographic community, opening software blueprints to outsiders who can point out errors is considered to be the safest way to go.
Because of the complex mathematics involved, a properly designed cryptographic system can be unbreakable even if its method is known to outsiders.
Free PC-to-PC calls and instant
But according to Schneier, if Skype’s encryption is weaker than believed, it still would stymie the kind of broad eavesdropping that the National Security Agency is reputed to be performing, in which it scans thousands or millions of calls at a time for certain phrases.
Even a weakly encrypted call would force an eavesdropper to spend hours of computer time cracking it.
Kurt Sauer, Skype’s chief security officer, said there are no “back doors” that could let a government bypass the encryption on a call. At the same time, he said Skype “cooperates fully with all lawful requests from relevant authorities.” He would not give particulars on the type of support provided.
The US Justice Department did not respond to questions about its views on Skype’s encryption.
Verso’s Bannerman notes that Skype calls are decrypted if they enter the traditional telephone network to communicate with regular phones, so a conversation could be intercepted there. Skype does not reveal how many of its calls run on the phone network.
“There are other ways of getting at the conversation than brute-force decryption of the hacking,” Bannerman said.
Schneier believes that eavesdropping on the content of calls is not as important to the NSA as tracking the calls, which is still possible with Skype.
For instance, if a particular account were associated with a terrorist or criminal, it would be possible to identify his conversation partners.
“What you and I are saying is much less important than the fact that you and I are talking,” Schneier says.
“Against traffic analysis, encryption is irrelevant.“