UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance

Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."

Not necessarily just for eavesdropping

[Scorpinox]

A step to making this secure is to generate private keys on the end-clients, verify the code to generate them does not also create an escrow key, and be vigilant from then on to only allow access to that private key with audited code.

But there's a usability problem with this: people suck at not losing things.

Lost your private key and need to check your email? You're out of luck. This is the sign of a good, secure system, but the average office person will at some point lose their key and be very pissed off that their account is impossibly unrecoverable.

So to appease the "careless," they backup/generate keys on a server. This has the unfortunate (or fortunate for them?) side effect of allowing undetectable key escrow. So they might be doing this to solve a legitimate usability problem, it just enables these other, probably bigger, problems.

Re:Trust Us, We're the Government

[TechyImmigrant]

>The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves.

Nope, some of us in industry have a turgid knob for IBE too. It solves specific problems exceedingly well. It provides a way to do key distribution amongst things you control while not having to trust the intervening infrastructure and not having to do as much computation at the endpoints.

The GCHQ M-S scheme has been around for a while. It's a well engineered IBE scheme compared to many of the schemes coming from academia. I certainly wouldn't use it when a third party was the KDC, but that's not what it's for. It was a contender for the key management in some standards that would be very widely deployed, but lost out to more conventional PKI schemes due to people being masochists for using things that have failed consistently in the past.