A protocol developed by the Communications-Electronics Security Group (CESG), the information security arm of the U.K.'s Government Communications Headquarters (GCHQ), for encrypting voice calls has a weakness built into it by design, according to Steven Murdoch, a researcher at University College London. He says the weakness in CESG's Multimedia Internet KEYing-Sakai-KasaharaKey Encryption protocol could enable mass surveillance.
The protocol's key escrow approach calls for a master decryption key to be held by a service provider. "The existence of a master private key that can decrypt all calls past and present without detection, on a computer permanently available, creates a huge security risk, and an irresistible target for attackers," Murdoch says.
He notes the approach also makes the data of users more vulnerable to legal action, such as secret court orders. "This is presented as a feature rather than bug, with the motivating case in the GCHQ documentation being to allow companies to listen to their employees calls when investigating misconduct, such as in the financial industry," Murdoch points out.
The U.K. government has often expressed concern over how encryption could inhibit law enforcement and impact terrorism-related investigations, and Murdoch says the government only certifies voice encryption products that use the protocol.
From Network World
View Full Article
Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA
No entries found