GCHQ – Develops Phone Security ‘Open to Surveillance’

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls. The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls.

University College London researcher Steven Murdoch described vulnerabilities in how such conversations were encrypted. GCHQ said it did not recognise the findings.

[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of MIRACL :

“The MIKEY-SAKKE protocol is actually a secure protocol and has a number of great advantages over traditional public/private key cryptography. The issue is, like all identity based encryption protocols, that the private key is generated by a Trusted Authority with one master key. This isn’t dissimilar to certificate authorities with their one single root key. Any bad actor can subvert the security of the system by having access to that key, either to re-issue an individual’s private key as in the case of MIKEY-SAKKE, or re-issue a legitimate certificate in the identity of a web server or individual, as in the case of certificate authorities.

The answer to this is blindingly obvious: Split the Trusted Authority with its one master key into Distributed Trust Authorities, each with a single ‘share’ of the entire master key. As an example, an enterprise customer could have a third, their telecom provider could have a third, and a trusted third party service provider could hold a third. Each party is responsible for issuing 1/3 of the private key to the endpoint or individual. But without all three parties colluding, there is no mathematical possibility of re-issuing the MIKEY-SAKKE private key, much less having a master key or equivalent root key compromise that has been commonplace among certificate authorities. By employing this Distributed Trust capability, identity based encryption protocols like MIKEY-SAKKE become much more secure, even more secure than PKI based security.

MIRACL is releasing a cryptographic platform for identity based encryption called the Distributed Datacenter Cryptosystem which employs the MIKEY-SAKKE protocol with Distributed Trust Authority architecture. Additionally, MIRACL, along with NTT, will be releasing an open source version of the cryptosystem via an Apache project called Apache Milagro (incubating).”[/su_note]

[su_box title=”About MIRACL” style=”noise” box_color=”#336588″]Multiprecision Integer and Rational Arithmetic C Library – the MIRACL Crypto SDK – is a C software library that is widely regarded by developers as the gold standard open source SDK for elliptic curve cryptography (ECC).[/su_box]