On 2/16/06, R. A. Hettinga <rah@shipwright.com> wrote:

... the fastest-growing technology for Internet calls appears to have the potential to make eavesdropping a thing of the past. ... Luxembourg-based Skype ... Skype keys are 256 bits long - twice as long as the 128-bit keys used to send credit card numbers over the Internet. The security is much more than doubled - in theory, Skype's 256-bit keys would take trillions of times longer to crack than 128-bit keys, which are themselves regarded as practically impossible to break by current means. ... Security experts are not completely convinced that Skype is as secure as it seems, because the company hasn't made its technology open to review. In the cryptographic community, opening software blueprints to outsiders who can point out errors is considered to be the safest way to go. Because of the complex mathematics involved, a properly designed cryptographic system can be unbreakable even if its method is known to outsiders. ... Kurt Sauer, Skype's chief security officer, ... said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided. ... "What you and I are saying is much less important than the fact that you and I are talking," Schneier says. "Against traffic analysis, encryption is irrelevant."

yeah, better than nothing, but how far do you trust a faceless corp peddling closed source warez? (same goes for Google, etc. the recent announcement to make zPhone open source is a big win IMHO) i'd love to see a high order analysis of these 256bit nonces used for keying skype. use of entropy on windoze has traditionally been pretty poor. my favorite example to date: http://lcamtuf.coredump.cx/newtcp/ - "Strange Attractors and TCP/IP Sequence Number Analysis" p.s. speaking of google, can we all agree they are well on the path of evil? logging all chats? multiple computer search? glad i only use gmail for public comms...