Random number generation varies by the operating system. The security of a Skype peer-to-peer session depends significantly on the quality of the random numbers generated by both ends of the Skype session. Purposes include protection against playback attacks, creation of RSA key pairs, and creation of AES key-halves for content encryption. Skype uses random numbers for several cryptographic purposes. The ICM counter depends on the stream and the location within the stream. This algorithm returns the keystream, then XORed with the message content. Skype encrypts the current counter and salt with the session key using the 256 bit AES algorithm. That session key is then used to encrypt messages in both directions.Īll traffic in a session is encrypted using the AES algorithm running in Integer Counter Mode (ICM). Skype securely transmits the session key to the call recipient as part of connecting a call. This session exists as long as communication continues and for a fixed time afterward.
The server now forms and signs an identity certificate for the username that binds the username, verification key, and key identifier.įor each call, Skype creates a session with a 256-bit session key.
The server stores the username and a hash of the user's password in its database. The Skype server verifies that the selected username is unique and follows Skype's naming rules. The client creates a session key using its random number generator. Then a 256-bit AES-encrypted session is established with the Skype server. The private key and a password hash are stored on the user's computer. Skype locally generates public and private keys. As part of user registration, the user selects a desired username and password. The Skype server has a private key and distributes that key's public counterpart with every copy of the software. Skype says that it uses public-key encryption as defined by RSA to accomplish this. Skype uses this information to authenticate call recipients and assure that callers seeking authentication access a Skype server rather than an impostor.
Skype holds registration information both on the caller's computer and on a Skype server. Implementation and protocols Registration This claim was undermined in May 2013 by evidence that Microsoft (owner of Skype) has pinged unique URLs embedded in a Skype conversation this could only happen if Microsoft has access to the unencrypted form of these messages. No intermediate node ( router) has access to the meaning of these messages. Messages transmitted between Skype users (with no PSTN users included) are encrypted from caller to caller.Each verifies the other's evidence before the session can carry messages. Each caller provides the other with proof of identity and privileges whenever a session is established.Callers must present a username and password or another authentication credential.The company's security policy states that: