UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance (benthamsgaze.org) 66
Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.
"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."
"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."
Re: (Score:2)
Well, except for Signal [whispersystems.org], Cyph [cyph.im], and maybe a few others from the EFF's list [eff.org].
Re: (Score:2)
Instahack (Score:5, Insightful)
... and this third party is commonly known as Internet Hackers.
Re:Instahack (Score:5, Insightful)
If a third party possesses your secret key, your communications are not secure. Period. Full stop.
Re: (Score:2)
Trust Us, We're the Government (Score:5, Funny)
Re:Trust Us, We're the Government (Score:5, Informative)
This may be reading too much into the whole thing. IBE by design (there's no way to avoid this) relies on a third party to do the keygen for you. This isn't some evil key-escrow conspiracy, it's just the way IBE works. Academic cryptographers have had a hard-on for IBE for years, conveniently ignoring the fact that it has key escrow built in (I've had some pretty weird conversations with some of them over this, "it's not key escrow, lalalalalala, it's not key escrow").
The cited paper isn't necessarily an evil government key escrow paper, it's just another in a long string of "isn't IBE wonderful, it will solve all our problems" papers. I've seen the same thing come from academics at universities (over and over again, IBE is just so cool), the only thing that makes this one stand out is that it was published by someone with government affiliations so it's possible to turn it into an evil conspiracy.
The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves. There have been a few experimental-status drafts put forward from the academics for inclusion in standards, but they've been largely ignored.
Re: (Score:1)
This actually all smells of mis-information. They seem to want to put out the idea that they need this in order to intercept communications, they need to get in the encryption chain. I think they have already pushed past that with corporate support from manufacturers and operating system companies. They are hacking the firmware, getting at the information prior to it being encrypted and sending out two data streams, one to themselves and only encrypting that one to try to hide the traffic. Getting in or co
Re: (Score:2)
They need a standard that law enforcement can use in a court of law. Hacking firmware and colluding with corporations may or may not be happening, but it is almost certainly not going to be a capability that they want to advertise or even admit to in open court, even if they can get the court to admit it as evidence.
Yes, the existing spy agencies can alert the police to start investigations which can use parallel construction to generate a prosecution, but the police don't want to do this all the time, and
Re: (Score:2)
The firmware hacking is not permanent but simply used to punch a hole into the system, once the system has been compromised the firmware hack is removed so as to limit exposure. Very few people would notice the change in bios load times and thus notice entry, penetration and removal. I suppose at least they tidy up after themselves not for the targets benefit but of course to limit hack exposure which can only happen with corporate cooperation (so the likes of say Dell or M$ quite simply can no longer be c
Re: (Score:2)
They need a standard that law enforcement can use in a court of law. Hacking firmware and colluding with corporations may or may not be happening, but it is almost certainly not going to be a capability that they want to advertise or even admit to in open court, even if they can get the court to admit it as evidence.
It doesn't have to be an open court. I'm not sure about elsewhere but here in the UK a case can be heard in a closed court if it's felt that it will cover material which shouldn't be made public
Re: (Score:2)
True, but that limits the scope of what you can try someone for. Although they're making inroads towards making jaywalking while talking on a cell phone a National Security issue, they haven't quite gotten there yet.
Seriously, though, most judges will question the need for a closed court unless there is a very serious reason. Terrorism is one of those reasons, but again local cops don't have that sort of clout. They simply want to do wire taps again and encryption prevents this unless they have the keys
Re: (Score:2)
Re: (Score:2)
Sure, you can always user superencryption.
Given the ongoing failure to launch of IBE, and the UK government's long track record of not being able to make something like this work, going back to Red Pike twenty years ago, I don't think there's much to be concerned about. Pushing this through would be like the NPfIT/Connecting for Health, but not as simple, cheap, and straightforward.
Re: Trust Us, We're the Government (Score:2)
Incidentally, the NPfIT encryption guidelines were written by GCHQ and surprise, surprise, include key escrow. Why any doctor would want to use a system which can forge his signature on medical records is beyond me.
Re: (Score:1)
Why any doctor would want to use a system which can forge his signature on medical records is beyond me.
Simple. Because any other method gets them fined and possibly imprisoned, or even killed by one of the government's enforcers who are known for their big guns, bad attitudes, institutionalized corruption, and small brains & penises.
[s] But never mind that! Did you hear the latest insane Trump rant and the latest lottery jackpot amount!? [/s]
Strat
Re:Trust Us, We're the Government (Score:5, Interesting)
>The only redeeming feature of IBE is that it's so obviously academic wank that the industry has stayed away in droves.
Nope, some of us in industry have a turgid knob for IBE too. It solves specific problems exceedingly well. It provides a way to do key distribution amongst things you control while not having to trust the intervening infrastructure and not having to do as much computation at the endpoints.
The GCHQ M-S scheme has been around for a while. It's a well engineered IBE scheme compared to many of the schemes coming from academia. I certainly wouldn't use it when a third party was the KDC, but that's not what it's for. It was a contender for the key management in some standards that would be very widely deployed, but lost out to more conventional PKI schemes due to people being masochists for using things that have failed consistently in the past.
Re: (Score:2)
No?
Oh. Now I see it. (Score:5, Insightful)
Re: (Score:2)
You'd have to go through a government-run server...
No, you wouldn't. Unless you do critical work for the UK government.
Re: (Score:1)
Oh, so to spy on the UK government, all that's needed is to compromise the escrow server?
Also, who's to say that this "standard" won't be extended to the rest of the population. Telcos may not be able to serve british subjects without mandating this protocol on all their devices and their networks..
Re: (Score:2)
Telcos may not be able to serve british subjects without mandating this protocol on all their devices and their networks..
If that happened, anyone who wants to use some other form of encryption can arrange it themselves.
Re: (Score:2)
Re:Oh. Now I see it. (Score:5, Insightful)
Is this what U.S. politicians want? Not 'backdoors' in encryption, but being the keyholders?
Politicians don't know what they want, most of them barely understand encryption.
However that seems to be what they are getting at when they say "backdoors," if not being a keyholder, at least being able to get the key.
Might as well add that this quote:
This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,"
If a third party has the 'private' key, then it's not a private key. Two people can keep a secret if one of them is dead, etc
Re: (Score:2)
Not Quite (Score:2)
Worse than politicians: the un-elected spooks that desire total control (instead of their near-total control of today).
Towards the end of his reign of terror, even sitting Presidents were scared of crossing J Edgar Hoover due to his decades of collecting dirt on damn near everyone.
In comparison, this current round of jackals make J look like cross-dressing comic relief.
Re: (Score:2)
I don't like this protocol, but to be honest, this is no worse than when the cops could listen in on phone conversations directly via wire tap. Your privacy is not really impaired any more than it would have been in the past. There are other ways to communicate securely other than via voice and there are techniques that spies and organized criminals have used for decades to communicate under the expectation of a phone tap.
Re: (Score:2)
There are other ways to communicate securely other than via voice and there are techniques that spies and organized criminals have used for decades to communicate under the expectation of a phone tap.
See, that's the point I've been making all along whenever this 'backdoor' subject comes up with regards to here in the U.S.: They'd compromise encryption for their so-called 'backdoors', essentially destroying it's usefulness, but the very people they're trying to catch (criminals and terrorists) won't be affected at all because they'll use their own encryption (which they won't be able to break any more than they can break what we have now that isn't compromised), or they'll use more traditional methods of
Sakke. (Score:3)
So what you're saying is someone had a bit too much sake when designing this?
Re: (Score:2)
They gargle it and then let it dribble down their chin.
Not necessarily just for eavesdropping (Score:4, Interesting)
A step to making this secure is to generate private keys on the end-clients, verify the code to generate them does not also create an escrow key, and be vigilant from then on to only allow access to that private key with audited code.
But there's a usability problem with this: people suck at not losing things.
Lost your private key and need to check your email? You're out of luck. This is the sign of a good, secure system, but the average office person will at some point lose their key and be very pissed off that their account is impossibly unrecoverable.
So to appease the "careless," they backup/generate keys on a server. This has the unfortunate (or fortunate for them?) side effect of allowing undetectable key escrow. So they might be doing this to solve a legitimate usability problem, it just enables these other, probably bigger, problems.
I prefer the B.L.O.W.M.E. encryption standard (Score:3)
Sorry but this "compromised by design" shit has to go.
People need to use a strong, unbreakable encryption. Then, when the government comes sniffing around, they should be told to go sodomize a hippopotamus.
Re: (Score:3)
Sorry but this "compromised by design" shit has to go.
People need to use a strong, unbreakable encryption.
People can do that. The story is about the UK government choosing how to encrypt its own communications.
Re: (Score:2)
If you think it'll stay there, you're naive.
same all over - perverts (Score:2)
"Security" goons are pretty much the same all over; they don't care if you are ripped off, kidnapped, raped, or murdered, as long as they get to watch, so they have no problem creating ways for (other) criminals to get into whatever security you might want to use to protect yourself.
Undetectable mass surveillance? (Score:3)
If the GCHQ wanted undetectable, just ensure the designs allowed in the UK are to the generations of usual tame and junk maths standards.
Then dont tell or allow anyone to publish on the existing, new or to be released standards.
Get any wider academic study out of the telco sector and replace it with tame UK professional academics with security backgrounds. Have them pump out vast numbers of complex papers to a waiting press to pass on the wholesomeness of UK crypto academics and advanced secure communications.
That would have covered the "Undetectable" part in a more realistic fashion. If junk crypto is been talked about as offering "companies to listen to their employees calls" people kind of understand the level of UK mass surveillance over all devices sold in the UK.
Why would anyone interesting ever talk about anything interesting on a UK connected network ever again?
The more people understand the UK gov is a party to all their private digital communications, the more they can revert to traditional methods of communications.
Does the UK have the overtime for 6-10 contractor or mil teams in shifts to watch every single interesting person 24/7 when they fail to turn on their gov ready phones everyday?
Drones, teams of cars and helicopters to track every meeting of 3 interesting people in a remote locations with no phones again?
What worked so well in Ireland needed a small army of very skilled teams watching a very small population. Do todays gov officials and contractors have the ability to fit in with the communities or will they be noticed?
As for "“scale and usability requirements" that would be more Tempora? https://en.wikipedia.org/wiki/... [wikipedia.org]
Telling an entire nation they are under constant surveillance will change how they use a cell phone. Why would any gov tell them to change their habits?
Is the UK gov hoping to induce a trackable rush to VPN's and then track for people altering their cell phone habits as the information filters down the wider press?
That gives the UK give a short list of people who altered their habits but for the loss of their digital communications.
Time for a lot of ground teams in vans to make up for what the GCHQ got for "free" every generation?
Nothing new, and perfectly fine (Score:1)
Nothing to see here, move along. This isn't some protocol designed for widespread use by the general public (in which case the central private key repository would obviously be unacceptable). This is a protocol designed to secure communications between people working for the government (either directly or as a supplier) on critical infrastructure applications. The government already has an effective system for managing cryptographic material which, if it fell into the wrong hands, would allow access to all
I stopped reading at... (Score:2)
The protocol was designed by GCHQ, the U.K.'s signals intelligence agency,
as a Brit, living comfortably and peacefully in the London suburbs, I'm tired of this shit. It's not saving lives or preventing terror either, do you think any reasonably intelligent terrorist will think, I need to talk to my mates, ok MIKEY-SAKKE is my 'go-to' tool?
Re: (Score:2)
do you think any reasonably intelligent terrorist will think, I need to talk to my mates, ok MIKEY-SAKKE is my 'go-to' tool?
No, and neither does the government. The "mass surveillance!!!11!" hyperbole of the headline notwithstanding, this is just the government implementing the encryption for their own communications.
One of the more frightening.... (Score:1)