UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance

Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."

Instahack

[Citizen+of+Earth]

"By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

... and this third party is commonly known as Internet Hackers.

Re:Instahack

[Spazmania]

If a third party possesses your secret key, your communications are not secure. Period. Full stop.

Oh. Now I see it.

[kheldan]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders? You'd have to go through a government-run server to get encyption keys when setting up and secure connection, so that later (or in realtime) they can decrypt and listen in on the entire data stream? This would be as bad or worse than having a 'backdoor' because all you'd have to do is compromise the keyserver and you'd have all of the keys for everything -- or if you can destroy the keyserver, completely cripple communications for everyone all at once. All of these ideas are just disaster waiting to happen, and there's no damned good reason for it other than anal-retentive power-seeking-more-power politicians and their bullshit.

Re:Oh. Now I see it.

[phantomfive]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders?

Politicians don't know what they want, most of them barely understand encryption.
However that seems to be what they are getting at when they say "backdoors," if not being a keyholder, at least being able to get the key.
Might as well add that this quote:

This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

If a third party has the 'private' key, then it's not a private key. Two people can keep a secret if one of them is dead, etc