[2][3] User public keys are certified by the Skype server at login with 1536-bit or 2048-bit RSA certificates.
This session exists as long as communication continues and for a fixed time afterward.
Skype encrypts the current counter and salt with the session key using the 256 bit AES algorithm.
Because an Identity Certificate contains a public key, each end can then confirm signatures created by the other peer.
In many cases, a simple request for information is sufficient, with no court approval needed.
This ability was deliberately added by Microsoft for law enforcement agencies around the world after they purchased Skype in 2011.
[11][12][13] While Skype encrypts users' sessions, other traffic, including call initiation, can be monitored by unauthorized parties.
The other side of security is whether Skype imposes risk on its users' computers and networks.
It allowed the attacker to use a buffer overflow to crash the system or to force it to execute arbitrary code.
The second security bug affected all platforms; it used a heap-based buffer overflow to make the system vulnerable.