UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance

Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."

Instahack

[Citizen+of+Earth]

"By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

... and this third party is commonly known as Internet Hackers.

Re:Instahack

[Spazmania]

If a third party possesses your secret key, your communications are not secure. Period. Full stop.

Trust Us, We're the Government

[LilBlackKittie]

From TFA: "The claim that GCHQ make is that existing protocols do not support the necessary “scale and usability requirements”" ...just like Dual_EC_DRBG does not support the necessary "security" for a cryptographically secure pseudorandom number generator.

Re:Trust Us, We're the Government

[arglebargle_xiv]

This may be reading too much into the whole thing. IBE by design (there's no way to avoid this) relies on a third party to do the keygen for you. This isn't some evil key-escrow conspiracy, it's just the way IBE works. Academic cryptographers have had a hard-on for IBE for years, conveniently ignoring the fact that it has key escrow built in (I've had some pretty weird conversations with some of them over this, "it's not key escrow, lalalalalala, it's not key escrow").

The cited paper isn't necessarily an evil government key escrow paper, it's just another in a long string of "isn't IBE wonderful, it will solve all our problems" papers. I've seen the same thing come from academics at universities (over and over again, IBE is just so cool), the only thing that makes this one stand out is that it was published by someone with government affiliations so it's possible to turn it into an evil conspiracy.

The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves. There have been a few experimental-status drafts put forward from the academics for inclusion in standards, but they've been largely ignored.

Re:Trust Us, We're the Government

[TechyImmigrant]

>The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves.

Nope, some of us in industry have a turgid knob for IBE too. It solves specific problems exceedingly well. It provides a way to do key distribution amongst things you control while not having to trust the intervening infrastructure and not having to do as much computation at the endpoints.

The GCHQ M-S scheme has been around for a while. It's a well engineered IBE scheme compared to many of the schemes coming from academia. I certainly wouldn't use it when a third party was the KDC, but that's not what it's for. It was a contender for the key management in some standards that would be very widely deployed, but lost out to more conventional PKI schemes due to people being masochists for using things that have failed consistently in the past.

Oh. Now I see it.

[kheldan]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders? You'd have to go through a government-run server to get encyption keys when setting up and secure connection, so that later (or in realtime) they can decrypt and listen in on the entire data stream? This would be as bad or worse than having a 'backdoor' because all you'd have to do is compromise the keyserver and you'd have all of the keys for everything -- or if you can destroy the keyserver, completely cripple communications for everyone all at once. All of these ideas are just disaster waiting to happen, and there's no damned good reason for it other than anal-retentive power-seeking-more-power politicians and their bullshit.

Re:Oh. Now I see it.

[phantomfive]

Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders?

Politicians don't know what they want, most of them barely understand encryption.
However that seems to be what they are getting at when they say "backdoors," if not being a keyholder, at least being able to get the key.
Might as well add that this quote:

This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"

If a third party has the 'private' key, then it's not a private key. Two people can keep a secret if one of them is dead, etc