13:24 GMT16 January 2021
Listen Live
    Get short URL

    While the "crypto war" between the British government and privacy campaigners continues, new research suggests that a government-built encryption standard has a massive loophole that could allow security services - such as GCHQ - to intercept past and present communications.

    Encryption is a way of keeping data secure; a secret key or password is needed to decrypt it. Data encryption standard (DES) is a system whereby the sender and receiver of a message share a common key to open and lock the message.

    This is called secret key cryptography (SKC) and is different to public key cryptography (PKC) which needs two keys; one to encrypt and one to decrypt.

    According to Steven Murdoch, security expert and researcher at University College London, and his encrypted messages to Motherboard, the DES used by the Communications Electronics Security Group (CESG), which is part of the UK Government's Communications Headquarters (GCHQ) uses a DES called "Secure Chorus".

    Secure Chorus relies on a tool called MIKEY-SAKKE, a centralized service provider that basically gives keys out in exchange for personal information, like an email address.

    Murdoch has discovered that Secure Chorus is used by GCHQ's information and security unit, CESG, for the purpose of "protecting official and sensitive communications" and that the organization is committed to "supporting the Secure Chorus standard," suggesting that while the home secretary is calling for a ban on heavily encrypted services, the British government actually has one of its own.

    However, because the keys are handled by MIKEY-SAKKE, they could potentially be accessed by a third party not authorized by the British government to do so.

    "In end-to-end encryption, each person generates their own private keys so only they can decrypt conversations. In MIKEY-SAKKE the central network provider generates everyone's private keys so can decrypt all conversations," Steven Murdoch told Motherboard who made the discovery by examining public documents published by GCHQ and the Internet Engineering Task Force (IETF).

    However, Murdoch points out that the central network provider using MIKEY-SAKKE to unlock communications is not revealed in the documents. He told Motherboard that "for government communication it would likely be GCQH or an organization controlled by GCHQ.

    "For corporate communications, it could be the company itself or it could be delegated, perhaps to GCHQ," Murdoch suggested.

    But because the MIKEY-SAKKE keys are stored centrally, they "may be more vulnerable to hacking, intimidation of employees or insider abuse, as well as allowing less oversight," security expert Murdoch suggests in previous analysis published on Benthams Gaze, a blog written by information security researchers.

    The blog states: "The MIKEY-SAKKE protocol is being promoted by the UK government as a better way to secure phone calls.

    "The reality is that MIKEY-SAKKE is designed to offer minimal security while allowing undetectable mass surveillance, through the introduction a backdoor based around mandatory key-escrow. This weakness has implications which go further than just the security of phone calls."

    A CESG spokesperson told Motherboard that:

    "We do not recognize the claims made in this paper. The MIKEY-SAKKE protocol enables development of secure, scalable, enterprise grade products."

    If passed, the UK government's Investigatory Powers Bill, dubbed the Snoopers' Charter, would give government agencies and police more power to snoop on people's emails, web history and social media activity, whilst bulk collecting swathes of communications data.

    A UK government response to a petition calling for the home secretary to abandon all ideas of banning strong encryption states: "Clearly as technology evolves at an ever increasing rate, it is only right that we make sure we keep up, to keep our citizens safe. 

    "There shouldn't be a guaranteed safe space for terrorists, criminals and paedophiles to operate beyond the reach of law.

    "The Investigatory Powers Bill will not ban or further limit encryption," the statement concludes.

    As to who handles the MIKEY-SAKKE keys to unlock encrypted information on behalf of GCHQ, remains unknown to the public. 


    Big Tech Bosses to Get Jail Terms if Public Informed of Snooping - UK Gov't
    Snowden Welcomes Apple’s Criticism of UK Surveillance Bill
    UK's Snoopers Charter Under Scrutiny and Spelled Out
    New UK Surveillance Bill Stops Short of Fully Banning Data Encryption
    information security, data, Internet Protocol, encryption, information, snooping, communications, government, privacy, British Government Communications Headquarters (GCHQ), Theresa May, Great Britain, Europe, United Kingdom
    Community standardsDiscussion