Tom Jowitt, January 22, 2016
Do we believe them? GCHQ denies software it developed to encrypt VoIP calls has a backdoor
A security researcher has claimed there is a backdoor that will allow undetectable mass surveillance in a piece of software written by GGHQ used to encrypt Voice Over Internet Protocol (VoIP) calls.
The claims of a backdoor were made by Dr Steven Murdoch, a Principal Research Fellow at University College London’s Information Security Research Group, in a blog post.
At the moment, the protocol is designed for use by the British government. But it is open source, so the concern is that it could be adopted by commercial entities.
The MIKEY-SAKKE (Multimedia Internet KEYing-Sakai-KasaharaKey Encryption) protocol allows for a master decryption key to be held by a service provider, according to Murdoch.
“MIKEY-SAKKE is the security protocol behind the Secure Chorus voice (and also video) encryption standard, commissioned and designed by GCHQ through their information security arm, CESG,” he wrote.
According to Dr Murdoch, the advantage of MIKEY-SAKKE is that it doesn’t use digital certificates. Rather it uses identity-based encryption for key exchange. But this means private keys for users are generated by network providers with a master private key.
And herein lies the problem. These master private keys are valid indefinitely, and make the crypto algorithm vulnerable to silent interception and future decryption, the researcher warned.
“The existence of a master private key that can decrypt all calls past and present without detection, on a computer permanently available, creates a huge security risk, and an irresistible target for attackers,” he wrote.
“We do not recognise the claims made in this paper,” a spokesman for GCHQ told the BBC.
“It’s interesting that GCHQ has developed its own VoIP encryption protocol, although like any form of technology, ‘key escrow’ is not inherently evil,” commented Justin Harvey, chief security officer at Fidelis Cybersecurity.
“The UK Government is currently advocating backdoors in encryption products that can supposedly only be used by law enforcement to enable them to read secure messages, such as text messages, emails and internet traffic,” said Harvey.
“The Government should come to the realisation that the inclusion of backdoors in encryption isn’t merely a legislative or privacy mandate, however, it is technically impossible to control the use of a backdoor in this way,” he said.
“I liken the pro-backdoor encryption movement to complaints about the weather; some people complain about rain, snow or sunshine and wish it were otherwise, but in the end, we can’t do anything about it,” he said. “The same is true for strong encryption.”
Encryption remains a very touchy subject at the moment. Leading technology companies and privacy campaigners have consistently opposed efforts to weaken encryption systems.
Last June a number of leading technology companies including Google, Apple, IBM, Microsoft and Facebook wrote a strongly-worded open letter to President Obama, calling for him to respect the privacy rights of consumers by not weakening encryption systems.
Prime Minister David Cameron has previously said that he wanted British intelligence agencies to be able to monitor the encrypted communications of terror suspects.