Latest in Culture

Image credit:

Researcher warns of backdoor in GCHQ-developed encryption

It's not as secure as end-to-end encryption, he claims.
Nick Summers, @nisummers
January 21, 2016
Share
Tweet
Share

Sponsored Links

Press Association

The UK government's spy agency stands accused of developing and promoting an encryption standard for voice calls which includes a backdoor, allowing it to conduct "undetectable mass surveillance." The protection is designed for internal software used by the British government, but because it's open-source one security researcher is worried it'll also be adopted by commercial companies. If that happens, the flaw could be exploited by GCHQ and, potentially, hackers to monitor the conversations not just of government employees, but the wider public.

Dr Steven Murdoch, a Principal Research Fellow at University College London's Information Security Research Group, is concerned specifically about the way GCHQ's standard handles encryption keys. MIKEY-SAKKE, the security protocol behind the Secure Chorus encryption standard, relies on a set of master keys generated at the service provider level. These are used to protect each call session, but Murdoch says the master private key can also be used to decrypt users' conversations, past and present.

"The existence of a master private key that can decrypt all calls past and present without detection, on a computer permanently available, creates a huge security risk, and an irresistible target for attackers. Also calls which cross different network providers (e.g. between different companies) would be decrypted at a gateway computer, creating another location where calls could be eavesdropped."

Such a flaw, Murdoch believes, can be classified as "key escrow." That means a service provider would be able to comply with a British government request for "content," or what was said, during a particular individual or group's conversations. This ability to decrypt is in stark contrast to end-to-end encryption, which puts both public and private keys in the hands of the user. That way, even if a warrant is served, the company is unable to deliver the data in a readable format. A number of apps now offer this protection, including Apple's iMessage.

Murdoch says he isn't surprised by the backdoor given GCHQ's responsibility to both monitor and protect the government's communications:

"GCHQ designs the encryption technology used by government to prevent unauthorised parties having access to classified information. But GCHQ also wants the ability to examine how this encryption technology is used to investigate suspected leaks whether to companies, the press, or foreign intelligence agencies."

The worry now is that the MIKEY-SAKKE protocol will be adopted by companies offering secure voice calls to the public. After all, "government-grade security" sounds like a pretty safe bet. GCHQ, however, is refuting Murdoch's claims. A spokesperson for CESG, GCHQ's Information Security arm (which developed the standard) told Engadget: "We do not recognise the claims made in this paper. The MIKEY-SAKKE protocol enables development of secure, scalable, enterprise grade products."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Raspberry Pi Pico is a $4 Arduino alternative

Raspberry Pi Pico is a $4 Arduino alternative

View
Put Bernie Sanders almost anywhere with this Google Street View app | Engadget

Put Bernie Sanders almost anywhere with this Google Street View app | Engadget

View
Samsung Galaxy S21 review: The best Android phone for the money

Samsung Galaxy S21 review: The best Android phone for the money

View
New White House website includes a hidden recruitment message for coders

New White House website includes a hidden recruitment message for coders

View
See the 'Girl with a Pearl Earring' painting in 10-gigapixel detail

See the 'Girl with a Pearl Earring' painting in 10-gigapixel detail

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr