VOIP, Skype and Security

One big problem holding back widespread implementation of VOIP is the lack of encryption for SIP-based VOIP solutions (including those provided by Vonage, local telephone companies and others). It is comforting to know that a third party security consultant has given a passing grade to Skype following a review of the Skype source code and encryption system.

Skype utilizes the AES cipher to encrypt each conversation. A new 256 bit key is utilized for every call – so even if the key for one conversation is discovered, it won’t be of much use for the next or for any previous conversations. The U.S. Government uses AES to encrypt sensitive data, so it is considered secure enough even the available computing power we have available to us today.

The full report is available here and further information is available at Skype Journal. It should be noted that while this one consultant was given access to the source code, Skype does not make its source code available to the general public and so an element of trust is still required.