GCHQ Says Voice Crypto Protocol Not Backdoored

A week after a researcher published a detailed analysis of the MIKEY-SAKKE voice encryption standard that broke down how it could enable key escrow and mass surveillance, the U.K.’s GCHQ, which designed the standard, has come out in defense of its security and integrity.

CESG, the information security group at GCHQ, developed the MIKEY-SAKKE standard several years ago as a protocol for voice encryption. It’s used inside the U.K. government for secure high-level voice communications, and GCHQ has the authority to set standards for government security and certify security products to be used in government applications. The agency has said it only will certify voice encryption products that use MIKEY-SAKKE.

Steven Murdoch, a researcher at University College London’s Department of Computer Science, took a close look at MIKEY-SAKKE and its implementation in the Secure Chorus standard and concluded that not only does the standard support key escrow, but that it could be set up for use in mass surveillance.

“Although the words are never used in the specification, MIKEY-SAKKE supports key escrow. That is, if the network provider is served with a warrant or is hacked into it is possible to recover responder private keys and so decrypt past calls without the legitimate communication partners being able to detect this happening,” Murdoch wrote in his analysis.

Murdoch’s analysis pointed out that there are other existing standards that GCHQ could have used for voice encryption, rather than designing a new one. But Ian Levy, director of cyber security and resiliency at GCHQ, said in a defense of MIKEY-SAKKE that the protocol is designed with specific security applications in mind, such as public safety or internal monitoring in an organization.

“The Key Management Server isn’t a backdoor.”

“For investigative or regulatory reasons, most Organisations will want the ability to monitor their employees. MIKEY-SAKKE makes this possible; the organisation can record the encrypted traffic and decrypt it if and when they need to. They don’t need to actively ‘man-in-the-middle’ communications, which they’d have to do with other systems. And ONLY the enterprise can do this, because only the enterprise has the key management server,” Levy wrote.

In an email, Murdoch said he’s happy to see GCHQ talking about the security of MIKEY-SAKKE publicly, but that the facts of his analysis haven’t changed.

“I think it is very positive sign that GCHQ are willing to engage in an open discussion about the security of MIKEY-SAKKE. GCHQ’s response includes clarifications and also describes some of MIKEY-SAKKE’s design motivations. It is interesting and welcome, but ultimately it doesn’t make a substantial change to my conclusions because the response focusses more the language used rather than any fundamental points,” Murdoch said.

The key management server is a vital component of the MIKEY-SAKKE protocol, and Levy said that while it could be seen as a weak spot, every security system has weaknesses.

“Any real world security system has something that could compromise security. Whether it’s a Certificate Authority, a code signing key, the integrity of the source code to a product, the Key Distribution Centre in Kerberos or the Key Management Server in the MIKEY-SAKKE system. There’s always something that can break a security system,” Levy said. “Perfect security just isn’t possible.”

Levy also said that the key management server is a feature, not a backdoor.

“The Key Management Server isn’t a backdoor – and it’s certainly not there to enable ‘mass undetectable surveillance’. Only the owners of individual systems can decrypt their conversations,” he said.

The existence of the master key that allows retroactive decryption of calls is still a potential weak spot, Murdoch said, regardless of what it’s called.

“The GCHQ response also focusses only on how the systems using MIKEY-SAKKE work when they are well designed, managed properly, and are functioning correctly, emphasising that the backdoor/audit mechanism requires the use of a centralised master key which should be well protected,” Murdoch said.

“My analysis instead looked at the cost of protecting this master key and pointing out that if something goes wrong, whether by accident or malicious behaviour, the consequences for the security of users is severe. Some other encryption protocols have centralised aspects too, but the damage which results from their compromise is far less than with MIKEY-SAKKE so this reduces risk and also the cost of providing adequate protection.”

Image from Flickr stream of Defence Images.