Encryption
Skype uses 256-bit AES (Advanced Encryption Standard) encryption and 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.
This would mean, that every user has it's own private key. If the key generation algorithm is reliable, the key strength is high enough and the key is protected, one could actually consider Skype secure. However, the opposite was reported, so at least one of these points is not given.
http://www.reddit.com/r/technology/comments/cn4gn/skypes_obfuscated_rc4_algorithm_was_leaked_so_its/
It is not all security by obscurity of course. There is plenty of good cryptography in Skype. Most of it is implemented properly too. There are seven types of communication encryption in Skype: its servers use AES-256, the supernodes and clients use three types of RC4 encryption - the old TCP RC4, the old UDP RC4 and the new DH-384 based TCP RC4, while the clients also use AES-256 on top of RC4. It all is quite complicated, but we’ve mastered it all. If you want to know more, come to Berlin for 27C3 to hear all the juicy details on how to use this function to decrypt Skype traffic.
- every node (client) has it's own private key
- the corresponding public key is distributed across the network to enable encrypted conversation with this node (?)
- the public key needs to be signed by Skype CA (to prevent MITM attacks)
- conversations are encrypted using a 256-bit AES symmetric key
- both sides use the same for encryption during one conversation
- the key is negotiated shortly before a conversation, by encrypted packet exchange:
- each side computes a 128-bit nonce
- repeats it to 1024-bit (8x)
- encrypts it using the other side's public RSA key and sends it
- the RSA key must be signed by Skype CA
- this way both sides have a 128-bit nonce of their own and one from the other side, which enables 256-bit AES (a rather weak encryption, but at least there is some)