الجمعة، 22 يناير 2016

Researcher Warns: UK Spy Agency GCHQ Phone Crypto Scheme Found To Be Backdoored

Researcher Warns UK Spy Agency GCHQ Phone Crypto Scheme Found To Be Backdoored


GCHQ Phone Crypto Scheme Found To Be Backdoored


A researcher has discovered "The voice encryption protocol of UK governments has a massive backdoor that enables the security services to intercept and listens to each and every past and present calls." 


Phone Crypto Scheme: It is a scheme which is promoting by the Britain's spy agency for the purpose of encrypting phone calls. In possession of a master key, it contains a backdoor that is easily accessible by anyone.

What is MIKEY-SAKKE?

For the purpose of establishing a shared secret value and certificate-less signatures to provide source authentication, it uses Identity-based Public Key Cryptography (IDPKC). It's based on the Secure Chorus. It was developed by the Communications-Electronics Security Group which is an information security arm of the UK's Government Communications Headquarters.

Features of MIKEY-SAKKE:

It has a number of desirable features some of them are:

  • Simplex transmission
  • Scalability
  • Low-latency call setup
  • Support for secure deferred delivery.

Dr. Steven Murdoch of University College London concludes that it has been specifically designed to

"allow undetectable and unauditable mass surveillance." He notes that in the "vast majority of cases" the protocol would be "actively harmful for security." in his blog post.

Murdoch wrote in the analysis titled 

"Insecure by design: protocols for encrypted phone calls." "Also calls which cross different network providers (e.g., between different companies) would be decrypted at a gateway computer, creating another location where calls could be eavesdropped."

Murdoch also wrote that existence of a master private key can create a huge security risk, and it can be a target for attackers as without detection it decrypts all calls of past and present.

Murdoch characterizes the scheme as part of a key escrow that allows government agents to obtain the individual encryption keys that were generated using the master key.

Key-Escrow: It is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under any circumstances, an authorized third party may gain access to those keys.

While it is very surprising that the official UK government system would have such a significant backdoor, it is perhaps very less surprising for you when you consider who developed the spec: the information security arm of the UK listening post GCHQ, the Communications-Electronics Security Group (CESG).

The US government waged a similar campaign to build key-escrow capabilities into widely used encryption schemes in 1990. Sometimes US officials have criticized other companies like Google, Apple, because of the fact that they are providing default encryption capabilities that have the potential to thwart criminal or national security investigations.

ليست هناك تعليقات:

إرسال تعليق