NEWS

UK’s encryption protocol should be avoided at all costs

It is no secret that the British government has surveillance firmly on its priorities list. The proposed Snoopers Charter has at its heart hugely invasive legislation that would give UK authorities the legal right to put just about anybody under surveillance for just about any reason imaginable – all in the name of national security. 

In the US, a similar perspective is often behind the spy agencies animosity towards companies like Apple, which offer consumers strong encryption right out of the box. The NSA’s impression, being that it is sacrilegious for technology firms not to have to leave backdoors in encryption for the intelligence agencies to exploit – should they need to during ongoing investigations.

surveillance state

Now, the British government has attempted to solve that niggling problem by designing a voice encryption protocol that plays right into the hands of its draft investigatory powers bill, by giving GCHQ (the UK’s surveillance agency) a master key to everyone’s encrypted conversations.

This latest revelation comes via research conducted at University College in London, where a security expert has discovered an enormous security flaw in the government designed MIKEY-SAKKE protocol. Steven Murdoch, lead researcher, found the backdoor while working in the University’s Information Security Research Group, where he inspected the encryption protocol developed by the UK’s Communications-Electronics Security Group (CESG) the information security department of GCHQ.

During that research, Murdoch discovered that MIKEY-SAKKE (Multimedia Internet KEYing-Sakai-KasaharaKey Encryption) has a backdoor left in it by design that would allow GCHQ (and anyone else with access to the master encryption key) to perform mass surveillance on everyone that uses it. Problematic because backdoors are a security flaw that run the risk of being accessed by your enemies as well as your chosen friends.   

In his detailed blog post on the discovery, entitled ‘Insecure by design: protocols for encrypted phone calls’, Murdoch lays out his concerns about the new protocol – which the British government was hoping to build into a whole range of products. By using the Electronic Frontier Foundation’s (EFF) scorecard system as a recognised benchmark from which to test the British designed protocol, Murdoch ascertained that it passes only one of four of the EFF’s criteria. Specifically that it provides end to end encryption. Other than that, the security expert could find no way of accrediting MIKEY-SAKKE with any positive security features, concluding instead that the protocol was designed to ‘allow undetectable and un-auditable mass surveillance.’

‘This is presented as a feature rather than a bug, with the motivating case in the GCHQ documentation being to allow companies to listen to their employees calls when investigating misconduct, such as in the financial industry,’ continues Murdoch in his startling (but unsurprising) blog.

One of the main problems with CESG’s protocol is that it specifically allows a Telecom provider to perform a man-in-the-middle attack without the knowledge of either of the contacts involved. This, Murdoch explains, is achieved via a master key that allows any of the individual encryption keys unique to a conversation to be unencrypted,

‘The existence of a master private key that can decrypt all calls past and present without detection, on a computer permanently available, creates a huge security risk, and an irresistible target for attackers.’

cybersec 3

Also of concern, is the fact that the protocol does not allow either for anonymity or for callers to verify that they are communicating with the correct contact.

What Murdoch has uncovered, is that MIKEY-SAKKE is a total security fail. On the other hand, it is perfect for implementing the Snoopers Charter by forcing Telecom companies to be complicit in helping GCHQ to access any conversation that it desires. Considering that this technology was created at GCHQ, however, it is completely unsurprising that the government endorsed encryption protocol leaves key-escrow in the hands of the intelligence agency by design – a laughably obvious outcome that we all saw coming.

Alarmingly, GCHQ has already started pushing the flawed encryption at technology companies in the form of Secure Chorus: a product spec that it is encouraging commercial companies to adopt and that it is marketing to the technology sector as ‘government-grade security.’ At least now, you know what to avoid with a giant barge pole.

 


Ray Walsh I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR and I am an advocate for freedom of speech, equality and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood and love to listen to trap music.

Related Coverage

More

4 responses to “UK’s encryption protocol should be avoided at all costs

  1. Mr. Walsh, thank you for this information. At the QWealthReport.com we have been following many of your articles. Many of our readers are from the UK and have an interest in personal security.

    What would you recommend as steps to avoid this UK encryption protocol? VPN? Encrypted e-mail? What about for mobile device communication?

    We would be very interested in your recommendations. Thank you for writing this piece!

    1. The only real thing that you can do when it comes to MIKEY-SAKKE (RFC 6509) is to avoid the protocol. One program that is currently being evaluated for compliance with the protocol is Cryptify Call for Android and iOS. As more apps become available that use this ‘government grade security’ they shall also all need to be avoided too unless you want to give telcos and the government access to all your voice calls.

  2. Ray,

    As we all know the terrorists, drug dealers, mafia etc. of the world will use non-breakable encryption against everyone at every opportunity. Is there a possible answer to this Planet Earth problem that will provide some level of security to the user vs. the governments needs to protect its national security?

    1. Hi Gene,

      I can’t speak for Ray, but terrorists also use door locks. Are you suggesting that the government has a skeleton key to every one’s front door just because terrorists lock their front doors?

Leave a Reply

Your email address will not be published. Required fields are marked *