Row over GCHQ-built voice algo MIKEY SAKKE rumbles on

GCHQ has defended its controversial MIKEY-SAKKE phone encryption protocol against criticism that it leaves a backdoor into systems that support the technology.

The CESG assurance arm of the UK government’s signal intelligence agency has taken the unusual step of publishing a background document and FAQ in defence of the technology, summarised in a statement by a government spokesman.

The MIKEY-SAKKE protocol is designed to enable organisations to provide secure communications with end-to-end encryption.

Each organisation that uses a MIKEY-SAKKE based product has its own Key Management Server, which allows users to access the system. As our specification makes clear, the Key Management Server does not need to be online for the system to be secure, which makes it much less vulnerable to attack. All the products approved by HMG operate in this way.

Organisations using MIKEY-SAKKE do not share a common Key Management Server, so it is totally wrong to suggest there is a secret master key or 'backdoor' that would allow GCHQ or any other third party to access real time or historic conversations. Only the owners of individual systems can access and decrypt conversations, if they want to.

At least some independent security experts are sympathetic to the argument that the design of the technology fulfils an explicit requirement for a built-in interception capability. However Dr. Steven Murdoch, research fellow at University College London, whose detailed examination of MIKEY-SAKKE sparked the original controversy remains critical.

Dr Arnold Yau, a self-described privacy advocate, who studied for a doctorate in information security at Royal Holloway before becoming a mobile security and cryptography specialist, argues that early reports that MIKEY-SAKKE was back-doored were unfair.

“The protocols are meant for government and enterprise deployment, with an explicitly stated requirement for lawful interception,” Yau told El Reg. “It's much like companies' ability to read their employee's emails sent through their system, with the difference that emails aren't routinely encrypted.”

El Reg understands that MIKEY-SAKKE was primarily designed to support a government requirement for secure communications. Initially designed to fulfil the requirements of the UK emergency services the technology is positioned as also suitable for businesses who need to meet legal, regulatory and other governance requirements.

We put it to Murdoch that if MIKEY-SAKKE is indeed designed for government and enterprise deployments with an explicit requirement for interception then perhaps different standards ought to be applied. Murdoch responded that, even on its own terms, MIKEY-SAKKE has practical shortcomings, particularly against potentially skilled nation state adversaries.

Murdoch confessed he was “not expecting such a detailed response” from GCHQ to his research.

“The GCHQ response only discusses the security of MIKEY-SAKKE when the system is well designed, properly operated and functioning correctly,” Murdoch explained. “My article instead also dealt with the (likely) scenario that things can go wrong due to accident or malicious behaviour. In these cases an unauthorised third party could gain access to communications and bypass the safety measures GCHQ assured would be present (only to provide time-bounded, single-user keys subject to legal authorisation).”

Scorecard

Backers of MIKEY-SAKKE argue that comparison using the EFF scorecard is “misleading” since the marker is designed when running a rule over consumer services such as Skype, whereas MIKEY-SAKKE is for businesses, where different criteria apply.

Murdoch applied EFF developed criteria for assessing the security of encryption protocols, an approach he argues is valid even for systems designed for enterprises and governments rather than the general population.

“I still think the EFF criteria, which require that security be preserved even if the network provider is compromised, are appropriate. Even if the network provider has a legitimate reason to eavesdrop on communications, someone who has compromised the network provider does not.”

“The GCHQ response correctly states that other protocols have centralised aspects, but MIKEY-SAKKE is notable for making the centralised aspects difficult to protect and there being severe consequences from any compromise,” he added.

Lawful interception (eavesdropping) could have being applied in a more robust manner to that offered by MIKEY-SAKKE, he further argues. Damningly, he describes the robustness of MIKEY-SAKKE as worse than that offered by the infamous Clipper Chip, an abortive US-government backed (and backdoored) crypto scheme of the 1990s.

“MIKEY-SAKKE design is a fragile way to achieve the goal of permitting the eavesdropping of communications. The same master key is used for both communication security and for key-escrow purposes. This makes the master key more vulnerable because it must be used for many purposes, including adding of new users and the monthly update of user-keys.

“There are circumstances where eavesdropping on calls is appropriate (e.g. some enterprise and government communications) but there are other options available which separate the escrowing from normal encryption. Examples include the current financial industry approach of just recording calls before encryption or after decryption, and the Clipper chip which has a separate escrow key which can be more carefully protected and be subject to legal restrictions,” he added.

Murdoch concludes: "So I don’t think the need for permitting eavesdropping on calls in certain circumstances is sufficient justification for the design” of MIKEY-SAKKE. He maintains it is essentially not fit for purpose whether or not it’s eventually used by consumers, something Murdoch reckons remains an open question.

Half-IBAKEd

Murdoch further argues that GCHQ is pushing MIKEY-SAKKE over a rival approach, called MIKEY-IBAKE on the grounds that the latter was less “snoop friendly”.

"There are some hints in the GCHQ submission to the 3GPP committee discussing MIKEY-IBAKE, where they were focussing on MIKEY-SAKKE allowing law enforcement access rather than an enterprise or government getting access to their own staff’s communications," Murdoch explained. "Also of note is that GCHQ were asking the committee to prevent the use of MIKEY-IBAKE, not to permit the use of MIKEY-SAKKE. If GCHQ were content to let companies have free choice over which security protocol they use, why prevent them from using MIKEY-IBAKE if they want?”

Yau conceded Murdoch had made some fair and reasonable points. He said the discussion about the protocol would be better focused on the possibility it creates “unsafe deployment”, rather than existence of hidden "backdoors”.

“With 3GPP, I wonder why GCHQ how much it would actually help them have MIKEY-SAKKE adopted,” Yau concluded. “My (academic) understanding is that mobile communications (GSM/3G/LTE) are never secured end-to-end to start with with encryption only applied to the air interface (between cell towers and device). This means they can (and probably are) already eavesdrop on conversations (or data traffic) at the mobile network operator whether legally or illegally.”

“If law enforcement agencies wish to decrypt over-the-air traffic, there are already equipment such as Stingray, IMSI ((International Mobile Subscriber Identity) catcher, femtocells that are available for that purpose,” he added.

If MIKEY-SAKKE was intended as a backdoor then it was a hopelessly cack handed, according to Yau.

“More generally if they want to insert backdoors into public communication protocol/equipment, they'd probably do it with far more subtlety as demonstrated by the Dual-EC DRBG and the Juniper backdoor,” Yau added in what’s best described as a backhanded compliment. ®