Phillip Zimmermann of PGP fame outlines the future for VoIP encryption. A few years ago it began with PGPPhone; now called zPhone. He's provides clarity on how to handle "man in the middle" attacks. His beta will be released at the end of February. This is definitely one to watch.

(Note, this was recorded on my iPod with iTalk, it is not meant to be IT Conversations. In a few weeks I'm sure many of these will be available there)

The Skype Forum is buzzing with commentary on Tom Berson's security white paper. Most of it from sidewalk superintendents. Here and here.

I thought I would find an industry specialist to talk with.

Please meet Michael Gough.

Security consultant, trainer, author.

Michael, what were your first thoughts when you read Tom Berson’s white paper on Skype Security?

“Nothing custom; nothing home grown. The fact that Skype followed industry best practices helped to ease my concerns and those in my field as to how Skype actually implemented their encryption scheme.”

Tell me about how secure the Skype encryption is?

“Skype uses 256-bit AES to encrypt every session between users. More important, this encryption changes each time you contact someone via IM, file transfer, or a voice call. So if some malicious person managed to capture all the data and managed to figure out your AES key, it would be worthless for the next call you make with Skype. Cracking the AES key would take someone roughly 20 years, so it’s not very probable. The U.S. Government uses AES to encrypt sensitive data, so it is considered secure enough for the available computing power we have available to us today."

Michael, on page 10 Tom mentions a problem in WEP, the security protocol for my wireless router. What is Tom referring to? Is my wireless Router not secure?

“No Bill, your wireless router does not give you much security! At least your Skype traffic flowing through your router is safe, but other traffic is not. To put the two systems –AES and WEP- in perspective: as I said earlier it would take about 20 years for someone to crack AES, however it would take only a few hours to a few days to crack WEP. Now remember that big security code you put in your router when you enable WEP. Well you need to change it every day to beat the bad guys! WEP’s got problems. That is why it has been replaced by WPA and other options."

“So you see, if the experts who worked on security for the IEEE 802.11 security protocol could implement this sort of hole it any wonder security professionals in corporate America are so worried about what some hacks in Estonia would create for a free voice on the net product. So Tom’s paper helps to clarify what they exactly did and how they do encryption.”

Michael, I have only talked to the handful of security people. They are all anal. They are all impossible to please. So you told me the good news; now fill me in on the bad news.

“Tom found some code issues, didn’t he? Well are they fixed yet? Where is the proof? How will Skype continue to test their security with third parties like Anagram Labs?” Security is an on going process and one security evaluation will not be enough to convince the biggest of security skeptics.”

Thanks Michael. I am sure you will hear from me again soon as we get more feedback from IT professionals on this white paper.

“Bill, I would add that it is safe to say "a company needs to look at their company security policies and how a company would use Skype, but in my professional opinion, the way Skype has implemented security and encryption should fulfill many companies requirements for a secure voice client solution. It all depends on how it will fit into your network infrastructure and fulfill their business needs for each particular company as far as how to use Skype effectively"

Michael is a Computer Security Consultant and delivers security consulting services to clients of a Fortune 50 Company where he works. Been at it 18 years. he also presents for his company at many trade shows, presenting at conferences working with associations and groups advising agencies like the FBI on Skype security and Center for Internet Security on wireless security. Michael knows Skype. He is the man behind the hot web sites www.SkypeTips.com and www.VideoCallTips.com and the main author for "Skype Me" by Syngress press. The book will be available in December and followed up with a Video Call book.

"Is Skype in China risking compromising their encryption and anonymity model?" so asks my Danish contact Torben Nyhuus after reading this article on Yahoo turning state's evidence:

Information supplied by Yahoo! helped journalist Shi Tao get 10 years in prison

It is an interesting question. The Skype Partner TOM does have a different version of Skype. H'mmmm...