UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance

Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."

Instahack

[Citizen+of+Earth]

"By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

... and this third party is commonly known as Internet Hackers.

Re:Instahack

[Spazmania]

If a third party possesses your secret key, your communications are not secure. Period. Full stop.

Trust Us, We're the Government

[LilBlackKittie]

From TFA: "The claim that GCHQ make is that existing protocols do not support the necessary “scale and usability requirements”" ...just like Dual_EC_DRBG does not support the necessary "security" for a cryptographically secure pseudorandom number generator.

Re:Trust Us, We're the Government

[arglebargle_xiv]

This may be reading too much into the whole thing. IBE by design (there's no way to avoid this) relies on a third party to do the keygen for you. This isn't some evil key-escrow conspiracy, it's just the way IBE works. Academic cryptographers have had a hard-on for IBE for years, conveniently ignoring the fact that it has key escrow built in (I've had some pretty weird conversations with some of them over this, "it's not key escrow, lalalalalala, it's not key escrow").

The cited paper isn't necessarily an evil government key escrow paper, it's just another in a long string of "isn't IBE wonderful, it will solve all our problems" papers. I've seen the same thing come from academics at universities (over and over again, IBE is just so cool), the only thing that makes this one stand out is that it was published by someone with government affiliations so it's possible to turn it into an evil conspiracy.

The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves. There have been a few experimental-status drafts put forward from the academics for inclusion in standards, but they've been largely ignored.

Re:Trust Us, We're the Government

[TechyImmigrant]

>The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves.

Nope, some of us in industry have a turgid knob for IBE too. It solves specific problems exceedingly well. It provides a way to do key distribution amongst things you control while not having to trust the intervening infrastructure and not having to do as much computation at the endpoints.

The GCHQ M-S scheme has been around for a while. It's a well engineered IBE scheme compared to many of the schemes coming from academia. I certainly wouldn't use it when a third party was the KDC, but that's not what it's for. It was a contender for the key management in some standards that would be very widely deployed, but lost out to more conventional PKI schemes due to people being masochists for using things that have failed consistently in the past.

Oh. Now I see it.

[kheldan]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders? You'd have to go through a government-run server to get encyption keys when setting up and secure connection, so that later (or in realtime) they can decrypt and listen in on the entire data stream? This would be as bad or worse than having a 'backdoor' because all you'd have to do is compromise the keyserver and you'd have all of the keys for everything -- or if you can destroy the keyserver, completely cripple communications for everyone all at once. All of these ideas are just disaster waiting to happen, and there's no damned good reason for it other than anal-retentive power-seeking-more-power politicians and their bullshit.

Re:Oh. Now I see it.

[phantomfive]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders?

Politicians don't know what they want, most of them barely understand encryption.
However that seems to be what they are getting at when they say "backdoors," if not being a keyholder, at least being able to get the key.
Might as well add that this quote:

This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

If a third party has the 'private' key, then it's not a private key. Two people can keep a secret if one of them is dead, etc

Sakke.

[sims+2]

So what you're saying is someone had a bit too much sake when designing this?

Not necessarily just for eavesdropping

[Scorpinox]

A step to making this secure is to generate private keys on the end-clients, verify the code to generate them does not also create an escrow key, and be vigilant from then on to only allow access to that private key with audited code.

But there's a usability problem with this: people suck at not losing things.

Lost your private key and need to check your email? You're out of luck. This is the sign of a good, secure system, but the average office person will at some point lose their key and be very pissed off that their account is impossibly unrecoverable.

So to appease the "careless," they backup/generate keys on a server. This has the unfortunate (or fortunate for them?) side effect of allowing undetectable key escrow. So they might be doing this to solve a legitimate usability problem, it just enables these other, probably bigger, problems.

I prefer the B.L.O.W.M.E. encryption standard

[Chas]

Sorry but this "compromised by design" shit has to go.

People need to use a strong, unbreakable encryption. Then, when the government comes sniffing around, they should be told to go sodomize a hippopotamus.

Re:I prefer the B.L.O.W.M.E. encryption standard

[wonkey_monkey]

Sorry but this "compromised by design" shit has to go.

People need to use a strong, unbreakable encryption.

People can do that. The story is about the UK government choosing how to encrypt its own communications.

Undetectable mass surveillance?

[AHuxley]

That is then offered to "allow companies to listen to their employees calls when investigating misconduct, such as in the financial industry"?
If the GCHQ wanted undetectable, just ensure the designs allowed in the UK are to the generations of usual tame and junk maths standards.
Then dont tell or allow anyone to publish on the existing, new or to be released standards.
Get any wider academic study out of the telco sector and replace it with tame UK professional academics with security backgrounds. Have them pump out vast numbers of complex papers to a waiting press to pass on the wholesomeness of UK crypto academics and advanced secure communications.
That would have covered the "Undetectable" part in a more realistic fashion. If junk crypto is been talked about as offering "companies to listen to their employees calls" people kind of understand the level of UK mass surveillance over all devices sold in the UK.

Why would anyone interesting ever talk about anything interesting on a UK connected network ever again?
The more people understand the UK gov is a party to all their private digital communications, the more they can revert to traditional methods of communications.
Does the UK have the overtime for 6-10 contractor or mil teams in shifts to watch every single interesting person 24/7 when they fail to turn on their gov ready phones everyday?
Drones, teams of cars and helicopters to track every meeting of 3 interesting people in a remote locations with no phones again?
What worked so well in Ireland needed a small army of very skilled teams watching a very small population. Do todays gov officials and contractors have the ability to fit in with the communities or will they be noticed?
As for "“scale and usability requirements" that would be more Tempora? https://en.wikipedia.org/wiki/...

Telling an entire nation they are under constant surveillance will change how they use a cell phone. Why would any gov tell them to change their habits?
Is the UK gov hoping to induce a trackable rush to VPN's and then track for people altering their cell phone habits as the information filters down the wider press?
That gives the UK give a short list of people who altered their habits but for the loss of their digital communications.
Time for a lot of ground teams in vans to make up for what the GCHQ got for "free" every generation?

Re:Fuck them all

[buu700]

Fuck them all

Well, except for Signal, Cyph, and maybe a few others from the EFF's list.