UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance

Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."

Instahack

[Citizen+of+Earth]

"By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

... and this third party is commonly known as Internet Hackers.

Re:Instahack

[Spazmania]

If a third party possesses your secret key, your communications are not secure. Period. Full stop.

Re:Instahack

[Shortguy881]

Unless you're a politician. Then you can just redefine the word encryption and now even my http packets look encrypted.

Trust Us, We're the Government

[LilBlackKittie]

From TFA: "The claim that GCHQ make is that existing protocols do not support the necessary “scale and usability requirements”" ...just like Dual_EC_DRBG does not support the necessary "security" for a cryptographically secure pseudorandom number generator.

Re:Trust Us, We're the Government

[arglebargle_xiv]

This may be reading too much into the whole thing. IBE by design (there's no way to avoid this) relies on a third party to do the keygen for you. This isn't some evil key-escrow conspiracy, it's just the way IBE works. Academic cryptographers have had a hard-on for IBE for years, conveniently ignoring the fact that it has key escrow built in (I've had some pretty weird conversations with some of them over this, "it's not key escrow, lalalalalala, it's not key escrow").

The cited paper isn't necessarily an evil government key escrow paper, it's just another in a long string of "isn't IBE wonderful, it will solve all our problems" papers. I've seen the same thing come from academics at universities (over and over again, IBE is just so cool), the only thing that makes this one stand out is that it was published by someone with government affiliations so it's possible to turn it into an evil conspiracy.

The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves. There have been a few experimental-status drafts put forward from the academics for inclusion in standards, but they've been largely ignored.

Re:Trust Us, We're the Government

[flopsquad]

Were this to become some sort of widespread UK voice encryption protocol, could people still encrypt the underlying communication with the method of their choosing and have this just be an additional wrapper?

Re:Trust Us, We're the Government

[arglebargle_xiv]

Sure, you can always user superencryption.

Given the ongoing failure to launch of IBE, and the UK government's long track record of not being able to make something like this work, going back to Red Pike twenty years ago, I don't think there's much to be concerned about. Pushing this through would be like the NPfIT/Connecting for Health, but not as simple, cheap, and straightforward.

Re:Trust Us, We're the Government

[tnk1]

They need a standard that law enforcement can use in a court of law. Hacking firmware and colluding with corporations may or may not be happening, but it is almost certainly not going to be a capability that they want to advertise or even admit to in open court, even if they can get the court to admit it as evidence.

Yes, the existing spy agencies can alert the police to start investigations which can use parallel construction to generate a prosecution, but the police don't want to do this all the time, and probably don't have access to most of the data in the first place. They want a "phone tap" whose incriminating recording they can get a warrant for and then play in open court. Until they can break encryption via a legal, public protocol, they have no direct method of making a successful tap on that line which can be used for that purpose.

Re:Trust Us, We're the Government

[TechyImmigrant]

>The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves.

Nope, some of us in industry have a turgid knob for IBE too. It solves specific problems exceedingly well. It provides a way to do key distribution amongst things you control while not having to trust the intervening infrastructure and not having to do as much computation at the endpoints.

The GCHQ M-S scheme has been around for a while. It's a well engineered IBE scheme compared to many of the schemes coming from academia. I certainly wouldn't use it when a third party was the KDC, but that's not what it's for. It was a contender for the key management in some standards that would be very widely deployed, but lost out to more conventional PKI schemes due to people being masochists for using things that have failed consistently in the past.

Re:Trust Us, We're the Government

[rtb61]

The firmware hacking is not permanent but simply used to punch a hole into the system, once the system has been compromised the firmware hack is removed so as to limit exposure. Very few people would notice the change in bios load times and thus notice entry, penetration and removal. I suppose at least they tidy up after themselves not for the targets benefit but of course to limit hack exposure which can only happen with corporate cooperation (so the likes of say Dell or M$ quite simply can no longer be considered trusted suppliers and outside of the US they could be considered criminal enterprises for willingly participating in espionage activities for profit).

Re: Trust Us, We're the Government

[Dr_Barnowl]

Incidentally, the NPfIT encryption guidelines were written by GCHQ and surprise, surprise, include key escrow. Why any doctor would want to use a system which can forge his signature on medical records is beyond me.

Re:Trust Us, We're the Government

[shortscruffydave]

They need a standard that law enforcement can use in a court of law. Hacking firmware and colluding with corporations may or may not be happening, but it is almost certainly not going to be a capability that they want to advertise or even admit to in open court, even if they can get the court to admit it as evidence.

It doesn't have to be an open court. I'm not sure about elsewhere but here in the UK a case can be heard in a closed court if it's felt that it will cover material which shouldn't be made public

Re:Trust Us, We're the Government

[RockDoctor]

IF IBE is so obviously flawed, but it is being deployed for the use of hogh profile and high value targets, then this makes it a highly desirable target for hacking.

No?

Re:Trust Us, We're the Government

[tnk1]

True, but that limits the scope of what you can try someone for. Although they're making inroads towards making jaywalking while talking on a cell phone a National Security issue, they haven't quite gotten there yet.

Seriously, though, most judges will question the need for a closed court unless there is a very serious reason. Terrorism is one of those reasons, but again local cops don't have that sort of clout. They simply want to do wire taps again and encryption prevents this unless they have the keys or can get them with a warrant.

Oh. Now I see it.

[kheldan]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders? You'd have to go through a government-run server to get encyption keys when setting up and secure connection, so that later (or in realtime) they can decrypt and listen in on the entire data stream? This would be as bad or worse than having a 'backdoor' because all you'd have to do is compromise the keyserver and you'd have all of the keys for everything -- or if you can destroy the keyserver, completely cripple communications for everyone all at once. All of these ideas are just disaster waiting to happen, and there's no damned good reason for it other than anal-retentive power-seeking-more-power politicians and their bullshit.

Re:Oh. Now I see it.

[wonkey_monkey]

You'd have to go through a government-run server...

No, you wouldn't. Unless you do critical work for the UK government.

Re:Oh. Now I see it.

Oh, so to spy on the UK government, all that's needed is to compromise the escrow server?

Also, who's to say that this "standard" won't be extended to the rest of the population. Telcos may not be able to serve british subjects without mandating this protocol on all their devices and their networks..

Re:Oh. Now I see it.

[phantomfive]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders?

Politicians don't know what they want, most of them barely understand encryption.
However that seems to be what they are getting at when they say "backdoors," if not being a keyholder, at least being able to get the key.
Might as well add that this quote:

This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

If a third party has the 'private' key, then it's not a private key. Two people can keep a secret if one of them is dead, etc

Re:Oh. Now I see it.

[wonkey_monkey]

Telcos may not be able to serve british subjects without mandating this protocol on all their devices and their networks..

If that happened, anyone who wants to use some other form of encryption can arrange it themselves.

Re:Oh. Now I see it.

[bsolar]

They know perfectly well what they want: what they don't know (or don't understand or don't care about) is how to technically achieve it and which consequences it would bring.

Re:Oh. Now I see it.

[kheldan]

Friend, I specifically said U.S. Politicians; I see in this story a possible way that they could get what they want, disaster-in-the-making or not.

Re:Oh. Now I see it.

[tnk1]

I don't like this protocol, but to be honest, this is no worse than when the cops could listen in on phone conversations directly via wire tap. Your privacy is not really impaired any more than it would have been in the past. There are other ways to communicate securely other than via voice and there are techniques that spies and organized criminals have used for decades to communicate under the expectation of a phone tap.

Re:Oh. Now I see it.

[kheldan]

There are other ways to communicate securely other than via voice and there are techniques that spies and organized criminals have used for decades to communicate under the expectation of a phone tap.

See, that's the point I've been making all along whenever this 'backdoor' subject comes up with regards to here in the U.S.: They'd compromise encryption for their so-called 'backdoors', essentially destroying it's usefulness, but the very people they're trying to catch (criminals and terrorists) won't be affected at all because they'll use their own encryption (which they won't be able to break any more than they can break what we have now that isn't compromised), or they'll use more traditional methods of obfuscation and evasion. Meanwhile, criminals and terrorists will very shortly thereafter be able to vicitimize everyone else with vastly improved efficiency because they'll get access to the 'backdoor' themselves, it's inevitable. I'm reaching the point where I must conclude that even politicians can't be this stupid, there must be an ulterior motive, namely just another power-grab.

Sakke.

[sims+2]

So what you're saying is someone had a bit too much sake when designing this?

Not necessarily just for eavesdropping

[Scorpinox]

A step to making this secure is to generate private keys on the end-clients, verify the code to generate them does not also create an escrow key, and be vigilant from then on to only allow access to that private key with audited code.

But there's a usability problem with this: people suck at not losing things.

Lost your private key and need to check your email? You're out of luck. This is the sign of a good, secure system, but the average office person will at some point lose their key and be very pissed off that their account is impossibly unrecoverable.

So to appease the "careless," they backup/generate keys on a server. This has the unfortunate (or fortunate for them?) side effect of allowing undetectable key escrow. So they might be doing this to solve a legitimate usability problem, it just enables these other, probably bigger, problems.

I prefer the B.L.O.W.M.E. encryption standard

[Chas]

Sorry but this "compromised by design" shit has to go.

People need to use a strong, unbreakable encryption. Then, when the government comes sniffing around, they should be told to go sodomize a hippopotamus.

Re:I prefer the B.L.O.W.M.E. encryption standard

[wonkey_monkey]

Sorry but this "compromised by design" shit has to go.

People need to use a strong, unbreakable encryption.

People can do that. The story is about the UK government choosing how to encrypt its own communications.

Re:I prefer the B.L.O.W.M.E. encryption standard

[Chas]

If you think it'll stay there, you're naive.

Re:Skipping the Sake Joke

[amiga3D]

They gargle it and then let it dribble down their chin.

same all over - perverts

[dltaylor]

"Security" goons are pretty much the same all over; they don't care if you are ripped off, kidnapped, raped, or murdered, as long as they get to watch, so they have no problem creating ways for (other) criminals to get into whatever security you might want to use to protect yourself.

Not Quite

[ThatsNotPudding]

there's no damned good reason for it other than anal-retentive power-seeking-more-power politicians and their bullshit.

Worse than politicians: the un-elected spooks that desire total control (instead of their near-total control of today).

Towards the end of his reign of terror, even sitting Presidents were scared of crossing J Edgar Hoover due to his decades of collecting dirt on damn near everyone.

In comparison, this current round of jackals make J look like cross-dressing comic relief.

Undetectable mass surveillance?

[AHuxley]

That is then offered to "allow companies to listen to their employees calls when investigating misconduct, such as in the financial industry"?
If the GCHQ wanted undetectable, just ensure the designs allowed in the UK are to the generations of usual tame and junk maths standards.
Then dont tell or allow anyone to publish on the existing, new or to be released standards.
Get any wider academic study out of the telco sector and replace it with tame UK professional academics with security backgrounds. Have them pump out vast numbers of complex papers to a waiting press to pass on the wholesomeness of UK crypto academics and advanced secure communications.
That would have covered the "Undetectable" part in a more realistic fashion. If junk crypto is been talked about as offering "companies to listen to their employees calls" people kind of understand the level of UK mass surveillance over all devices sold in the UK.

Why would anyone interesting ever talk about anything interesting on a UK connected network ever again?
The more people understand the UK gov is a party to all their private digital communications, the more they can revert to traditional methods of communications.
Does the UK have the overtime for 6-10 contractor or mil teams in shifts to watch every single interesting person 24/7 when they fail to turn on their gov ready phones everyday?
Drones, teams of cars and helicopters to track every meeting of 3 interesting people in a remote locations with no phones again?
What worked so well in Ireland needed a small army of very skilled teams watching a very small population. Do todays gov officials and contractors have the ability to fit in with the communities or will they be noticed?
As for "“scale and usability requirements" that would be more Tempora? https://en.wikipedia.org/wiki/...

Telling an entire nation they are under constant surveillance will change how they use a cell phone. Why would any gov tell them to change their habits?
Is the UK gov hoping to induce a trackable rush to VPN's and then track for people altering their cell phone habits as the information filters down the wider press?
That gives the UK give a short list of people who altered their habits but for the loss of their digital communications.
Time for a lot of ground teams in vans to make up for what the GCHQ got for "free" every generation?

Re:Fuck them all

[buu700]

Fuck them all

Well, except for Signal, Cyph, and maybe a few others from the EFF's list.

Nothing new, and perfectly fine

Nothing to see here, move along. This isn't some protocol designed for widespread use by the general public (in which case the central private key repository would obviously be unacceptable). This is a protocol designed to secure communications between people working for the government (either directly or as a supplier) on critical infrastructure applications. The government already has an effective system for managing cryptographic material which, if it fell into the wrong hands, would allow access to all manner of sensitive information. I see no reason why these keys should be any different.

I stopped reading at...

[hughbar]

The protocol was designed by GCHQ, the U.K.'s signals intelligence agency,

as a Brit, living comfortably and peacefully in the London suburbs, I'm tired of this shit. It's not saving lives or preventing terror either, do you think any reasonably intelligent terrorist will think, I need to talk to my mates, ok MIKEY-SAKKE is my 'go-to' tool?

Re:I stopped reading at...

[wonkey_monkey]

do you think any reasonably intelligent terrorist will think, I need to talk to my mates, ok MIKEY-SAKKE is my 'go-to' tool?

No, and neither does the government. The "mass surveillance!!!11!" hyperbole of the headline notwithstanding, this is just the government implementing the encryption for their own communications.

Re:We need communism now!

[Shortguy881]

You do realize the US is more a socialist oligarchy than a capitalist society, right? Further more, communism suffers from the same fatal flaw as capitalism, corruption.

One of the more frightening....

[jwarsher77]

"The most terrifying words in the English language are: I'm from the government and I'm here to help." - Ronald Reagan Trust us, we know what is best.