The U.K. government’s standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research.

The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.’s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

“MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder’s public key because it uses identity-based encryption (IBE),” Dr. Steven Murdoch of University College London’s Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard.

“In conventional public key systems each party generates their own private key and distributes their public key to anyone who needs it but in an IBE system, all private keys are generated by the network provider from their master private key.”

“Secure Chorus facilitates undetectable mass surveillance.”

That master key needs to be permanently available so that users can access it, making it a natural target for attackers. But the bigger issue is that it would enable network providers to decrypt calls.

“The existence of a master private key that can decrypt all calls past and present without detection, on a computer permanently available, creates a huge security risk, and an irresistible target for attackers. Also calls which cross different network providers (e.g. between different companies) would be decrypted at a gateway computer, creating another location where calls could be eavesdropped,” Murdoch wrote.

Like many other countries, the U.K. has been in the throes of a public and private debate over Internet and phone surveillance since the start of the Edward Snowden revelations several years ago. The surveillance programs revealed by the Snowden have included many run by the GCHQ and NSA, some jointly, some separately. U.K. officials have been discussing the possibility recently of banning or severely restricting strong encryption.

The Secure Chorus standard is in use for some government and intelligence communications in the U.K. now and the GCHQ could use its authority to mandate its use in the public sector and some critical infrastructure organizations, as well. The agency has a program called Commercial Product Assessment to certify encryption products for use in classified government applications, and it has said it will certify only products that implement Secure Chorus.

All of which does not bode well for the security of users’ voice communications.

“Although the words are never used in the specification, MIKEY-SAKKE supports key escrow. That is, if the network provider is served with a warrant or is hacked into it is possible to recover responder private keys and so decrypt past calls without the legitimate communication partners being able to detect this happening,” Murdoch wrote in his analysis.

“Secure Chorus facilitates undetectable mass surveillance, in a way that EDH based key encryption schemes would not. This is presented as a feature rather than bug, with the motivating case in the GCHQ documentation being to allow companies to listen to their employees calls when investigating misconduct, such as in the financial industry.”

The way that the standard is designed, there’s no good way to implement it without the key escrow mechanism, Murdoch said.

“By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,” Murdoch said by email.

He added that the design of Secure Chorus “is not an accident.” There are existing protocols, such as ZRTP, that can accomplish the security tasks Secure Chorus is supposed to, but without the backdoor access of key escrow. However, GCHQ has eschewed those in favor of its own design.

“The claim that GCHQ make is that existing protocols do not support the necessary “scale and usability requirements” but this does not sound plausible to me. The only explanation that I think remains is that GCHQ want people to use encryption systems which permit undetectable mass surveillance,” Murdoch said by email.
Image from Flickr stream of Zarko Drincic.