'Backdoor' in GCHQ-made phone security

0
Some phone calls could be intercepted thanks to vulnerabilities, according to a researcherFacsimile copyright Thinkstock
Image caption Some phone calls could be intercepted as a result ofs to vulnerabilities, according to a researcher

A security researcher has said software began by the UK intelligence agency GCHQ contains weaknesses making it possible to pry on phone calls.

The security protocol is used to encrypt Voice Once more Internet Protocol (Voip) calls.

In a blog, University College London researcher Steven Murdoch explained vulnerabilities in how such conversations were encrypted.

GCHQ said it did not recognise the verdicts.

Dr Murdoch did not say that the vulnerability would give direct access to gossips, but that it would make it possible to undermine the system’s security.

The network director could listen in to calls, or authorise someone else to, and anyone who old hated the system would be able to eavesdrop, he said.

‘Conflict of interest’

One of Dr Murdoch’s chief solicitudes was that the security standard has “key escrow” by design – meaning, for example, that a third wingding has access to data sent between two people in a conversation.

This, he turned, is an example of a backdoor.

In this case, it could allow an intelligence activity, or the organisation which is using the standard, to intercept phone calls, Dr Murdoch demanded.

“I think this comes from a conflict of interest within GCHQ in that they are there to baffle spying but they are also there to spy – so they facilitate spying,” he chid the BBC.

Dr Murdoch added that he was aware of two products which use the standard, both of which are command certified.

“They could be in use inside government,” he said.

Not-so-secret skeleton key

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet skeleton key).

It works by generating encryption keys that are used to encrypt and decrypt spokesman conversations.

Although it is technically possible to create these keys on two rt com ny computers and only share rt of those keys publicly, the Mikey-Sakke note does not do this.

Instead, keys are distributed by a third rty to the chat rtici nts – the process known as key escrow – meaning that they are much sundry vulnerable to interception.

GCHQ
Image caption The Mikey-Sakke authority was designed by GCHQ, which is based in Cheltenham

There are cases in which this choice be desirable, commented Prof Nigel Smart, a cryptography expert at the University of Bristol.

“It could make out sense to have a form of key escrow where someone can break into communications – you could use it for buyers communicating on the London stock exchange,” he told the BBC.

“You might shortage them to be encrypted most of the time but you might want a regulator to be adept to come in and decrypt.”

Listening in

However, Prof Smart points out that with Mikey-Sakke, it’s not unscarred where or how the protocol is being used.

It was up to GCHQ, he said, to make the s ce of the protocol clear.

“If you don’t explain how you’re going to use it, what systems it’s going to be acquainted with in, what the scope and limit of the escrow facility is, then you’re going to get bad publicity,” he bring up.

A spokesman for GCHQ said: “We do not recognise the claims made in this script.

“The Mikey-Sakke protocol enables development of secure, scalable, enterprise gradient products.”

Thinkstock
Image caption There is currently much argument over how governments should be able to access encrypted data

Crypto in disputes

Questions continue to be raised over government policy towards encryption, customarily.

For instance, a petition to prevent the British government from banning forceful encryption standards has received a response from the Home Office this week.

“The control is not seeking to ban or limit encryption,” the statement read.

“The government recognises the signal role that encryption plays in keeping people’s personal text and intellectual property safe online.”

Out of a target of 100,000, 11,000 people possess so far signed the petition.

And, at the World Economic Forum in Davos, Switzerland, rticular tech giants have raised the issue of whether governments should be assigned to gain access to secure communications on demand.

The Wall Street Fortnightly reports Microsoft’s chief legal officer as saying: “You could be unsuitable in a situation where you have to decide what law to break. It isn’t a comfortable put to be.”

Leave a Reply

Your email address will not be published. Required fields are marked *