Menu
British voice encryption protocol has massive weakness, researcher says

British voice encryption protocol has massive weakness, researcher says

The UK government is requiring suppliers to implement the protocol

A protocol designed and promoted by the British government for encrypting voice calls has a by-design weakness built into it that could allow for mass surveillance, according to a University College London researcher.

Steven Murdoch, who works in the university's Information Security Research Group, analyzed a protocol developed by CESG, which is part of the spy agency GCHQ.

The MIKEY-SAKKE (Multimedia Internet KEYing-Sakai-KasaharaKey Encryption) protocol calls for a master decryption key to be held by a service provider, he wrote in an analysis published Tuesday.

"The existence of a master private key that can decrypt all calls past and present without detection, on a computer permanently available, creates a huge security risk, and an irresistible target for attackers," Murdoch wrote.

Cryptography engineers seeking to build secure systems avoid this approach, known as key escrow, as it makes whatever entity holding the key a target for attack. It also makes the data of users more vulnerable to legal action, such as secret court orders.

The approach taken by the British government is not surprising given that it has frequently expressed its concerns over how encryption could inhibit law enforcement and impact terrorism-related investigations.

The technology industry and governments have been embroiled in a fierce ongoing debate over encryption, with tech giants saying building intentionally weak cryptography systems could provide attack vectors for nation-state adversaries and hackers.

Murdoch wrote CESG is well aware of the implications of its design. Interestingly, the phrase "key escrow" is never used in the protocol's specification.

"This is presented as a feature rather than bug, with the motivating case in the GCHQ documentation being to allow companies to listen to their employees calls when investigating misconduct, such as in the financial industry," he wrote. 

The endorsement of the protocol has wide-ranging implications for technology vendors. Murdoch wrote that the British government will only certify voice encryption products that use it. The government's recommendations also influence purchasing decisions throughout the industry.

"As a result, MIKEY-SAKKE has a monopoly over the vast majority of classified U.K. government voice communication, and so companies developing secure voice communication systems must implement it in order to gain access to this market," he wrote.

GCHA has already begun certifying products under its Commercial Product Assurance (CPA) security evaluation program. Approved products must use MIKEY-SAKKE and also Secure Chorus, an open-source code library that ensure interoperability between different devices.


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Show Comments