-------- Forwarded Message -------- Subject: [Cryptography] GCHQ's plan to backdoor encrypted phone calls Date: Tue, 19 Jan 2016 19:03:25 -0800 From: Henry Baker [1] To: [2]cryptography@metzdowd.com FYI -- The whole article is too long to reproduce here; follow the link to read the whole article. [3]https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encr ypted-phone-calls/ Insecure by design: protocols for encrypted phone calls The MIKEY-SAKKE protocol is being promoted by the UK government as a better way to secure phone calls. The reality is that MIKEY-SAKKE is designed to offer minimal security while allowing undetectable mass surveillance, through the intr oduction a backdoor based around mandatory key-escrow. This weakness has implica tions which go further than just the security of phone calls. The current state of security for phone calls leaves a lot to be desired. Land-l ine calls are almost entirely unencrypted, and cellphone calls are also unencryp ted except for the radio link between the handset and the phone network. While t he latest cryptography standards for cellphones (3G and 4G) are reasonably stron g it is possible to force a phone to fall back to older standards with easy-to-b reak cryptography, if any. The vast majority of phones will not reveal to their user whether such an attack is under way. The only reason that eavesdropping on land-line calls is not commonplace is that getting access to the closed phone networks is not as easy compared to the more open Internet, and cellphone cryptography designers relied on the equipment nec essary to intercept the radio link being only affordable by well-funded governme nt intelligence agencies, and not by criminals or for corporate espionage. That might have been true in the past but it certainly no longer the case with the ne cessary equipment now available for $1,500. Governments, companies and individua ls are increasingly looking for better security. A second driver for better phone call encryption is the convergence of Internet and phone networks. The LTE (Long-Term Evolution) 4G cellphone standard carries voice calls over IP packets, and desktop phones in companies are increasingly ca rrying voice over IP (VoIP) too. Because voice calls may travel over the Interne t, whatever security was offered by the closed phone networks is gone and so oth er security mechanisms are needed. Like Internet data encryption, voice encryption can broadly be categorised as ei ther link encryption, where each intermediary may encrypt data before passing it onto the next, or end-to-end encryption, where communications are encrypted suc h that only the legitimate end-points can have access to the unencrypted communi cation. End-to-end encryption is preferable for security because it avoids inter mediaries being able to eavesdrop on communications and gives the end-points ass urance that communications will indeed be encrypted all the way to their other c ommunication partner. Current cellphone encryption standards are link encryption: the phone encrypts c alls between it and the phone network using cryptographic keys stored on the Sub scriber Identity Module (SIM). Within the phone network, encryption may also be present but the network provider still has access to unencrypted data, so even i gnoring the vulnerability to fall-back attacks on the radio link, the network pr oviders and their suppliers are weak points that are tempting for attackers to c ompromise. Recent examples of such attacks include the compromise of the phone n etworks of Vodafone in Greece (2004) and Belgacom in Belgium (2012), and the SIM card supplier Gemalto in France (2010). The identity of the Vodafone Greece hac ker remains unknown (though the NSA is suspected) but the attacks against Belgac om and Gemalto were carried out by the UK signals intelligence agency -- GCHQ -- and only publicly revealed from the Snowden leaks, so it is quite possible ther e are others attacks which remain h idden. Email is typically only secured by link encryption, if at all, with HTTPS encryp ting access to most webmail and Transport Layer Security (TLS) sometimes encrypt ing other communication protocols that carry email (SMTP, IMAP and POP). Again, the fact that intermediaries have access to plaintext creates a vulnerability, a s demonstrated by the 2009 hack of Google's Gmail likely originating from China. End-to-end email encryption is possible using the OpenPGP or S/MIME protocols b ut their use is not common, primarily due to their poor usability, which in turn is at least partially a result of having to stay compatible with older insecure email standards. In contrast, instant messaging applications had more opportunity to start with a clean-slate and so this is where much innovation in terms of end-to-end securit y has taken place. Secure voice communication however has had less attention tha n instant messaging so in the remainder of the article we shall examine what sho uld be expected of a secure voice communication system, and in particular see ho w one of the latest and up-coming protocols, MIKEY-SAKKE, which comes with UK go vernment backing, meets these criteria. MIKEY-SAKKE and Secure Chorus MIKEY-SAKKE is the security protocol behind the Secure Chorus voice (and also vi deo) encryption standard, commissioned and designed by GCHQ through their inform ation security arm, CESG. GCHQ have announced that they will only certify voice encryption products through their Commercial Product Assurance (CPA) security ev aluation scheme if the product implements MIKEY-SAKKE and Secure Chorus. As a re sult, MIKEY-SAKKE has a monopoly over the vast majority of classified UK governm ent voice communication and so companies developing secure voice communication s ystems must implement it in order to gain access to this market. GCHQ can also s et requirements of what products are used in the public sector and as well as fo r companies operating critical national infrastructure. ............. Conclusions and future work The design of MIKEY-SAKKE is motivated by the desire to allow undetectable and u nauditable mass surveillance, which may be a requirement in exceptional scenario s such as within government departments processing classified information. Howev er, in the vast majority of cases the properties that MIKEY-SAKKE offers are act ively harmful for security. It creates a vulnerable single point of failure, whi ch would require huge effort, skill and cost to secure -- requiring resource bey ond the capability of most companies. Better options for voice encryption exist today, though they are not perfect either. In particular, more work is needed on providing scalable and usable protection against man-in-the-middle attacks, and protection of metadata for contact discovery and calls. More broadly, designers of protocols and systems need to appreciate the ethical consequences of their a ctions in terms of the political and power structures which naturally follow fro m their use. MIKEY-SAKKE is the lat est example to raise questions over the policy of many governments, including th e UK, to put intelligence agencies in charge of protecting companies and individ uals from spying, given the conflict of interest it creates. Update 2016-01-19: Fix broken links to GCHQ website, note that master key must b e permanently available though not necessarily directly connected to the Interne t, and mention suspicions that the NSA were involved in the Vodafone Greece comp romise. The photograph above this article is of a AT&T TSD-3600E Telephone Security Devi ce based around the Clipper key-escrow chip (© Matt Blaze). An edited version of this article will appear in the March 2016 special edition of IEEE Computer Magazine: Communications and Privacy under Surveillance. CC BY-ND 4.0 Insecure by design: protocols for encrypted phone calls by Steven J. Murdoch is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International Li cense. Published by Steven J. Murdoch Dr Steven J. Murdoch is a Royal Society University Research Fellow in the Inform ation Security Research Group of University College London, working on developin g metrics for security and privacy. His research interests include authenticatio n/passwords, banking security, anonymous communications, censorship resistance a nd covert channels. He has worked with the OpenNet Initiative, investigating Int ernet censorship, and for the Tor Project, on improving the security and usabili ty of the Tor anonymity system. His current research on developing methods to un derstand complex system security is supported by the Royal Society. He is also w orking on analysing the security of banking systems, especially Chip & PIN/EMV, and is Innovation Security Architect of Cronto, an online authentication technol ogy provider and part of the VASCO group. _______________________________________________ The cryptography mailing list [4]cryptography@metzdowd.com [5]http://www.metzdowd.com/mailman/listinfo/cryptography References 1. mailto:hbaker1@pipeline.com 2. mailto:cryptography@metzdowd.com 3. https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/ 4. mailto:cryptography@metzdowd.com 5. http://www.metzdowd.com/mailman/listinfo/cryptography