GCHQ insists on shooting itself in the foot with backdoored VoIP encryption protocol, developed in-house by CESG.
Britain’s intelligence agency, GCHQ (Government Communications Headquarters), has already developed a phone encryption protocol that contains a backdoor, as the government has been recently asking companies to provide.
During the past year, both the US and UK governments have asked companies operating in their territories to debate on the idea of adding a backdoor into their encrypted security protocols.
Both governments are saying that these backdoors will be used only for official investigations, and not to spy on its citizens. Tech companies have not been willing to do so, and for good reasons.
Security researcher: MIKEY-SAKKE protocol uses a flawed design
According to University College London researcher Dr. Steven J. Murdoch, the GCHQ has already built a data encryption protocol that contains a backdoor.
The protocol’s name is MIKEY-SAKKE and was developed by CESG (Communications-Electronics Security Group), one of GCHQ’s official divisions.
As CESG describes MIKEY-SAKKE, the protocol was developed to help encrypt voice calls and multimedia data in VoIP connections.
Mr. Murdoch discovered that this protocol was specifically designed to include a key escrow system. This is a mechanism through which each user’s encryption key, used to safeguard the data from prying eyes, is sent to a remote server for storage.
As you’d imagine, the person with access to the server also has access to everyone’s encryption key and could easily decode VoIP communications encrypted via MIKEY-SAKKE.
As the way CESG describes their protocol, this key escrow system is presented as a way to make sure attackers can’t break encrypted traffic by attacking the users. Security researchers may not look at it in the same way.
GCHQ wants to use a backdoored protocol for all government communications
“GCHQ have announced that they will only certify voice encryption products through their Commercial Product Assurance (CPA) security evaluation scheme if the product implements MIKEY-SAKKE and Secure Chorus,” explains Mr. Murdoch.
This means that all future UK government communications must use this “secure” encryption protocol.
Mr. Murdoch also explains that “the design of MIKEY-SAKKE is motivated by the desire to allow undetectable and unauditable mass surveillance, which may be a requirement in exceptional scenarios such as within government departments processing classified information.”
Currently, there are no plans for forcing this protocol among private companies operating in the UK, in the public sector.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.