What standards are included in Secure Chorus?
We quote from the press release: "Secure Chorus is built upon Identity-based Public Key Cryptography (IDPKC) with MIKEY-SAKKE and ECCSI at its core (RFCs 6507 and 6509). These modern standards permit flexible and dynamic security associations to be made without the costs associated to public key infrastructure such as X.509 certificates and online certificate authorities. Instead, users' identifiers (such as their phone number) are used as their public keys."
According to the CESG, Secure Chorus will initially focus on secure voice communications before moving on to video at a later stage.
But Wasn't MIKEY-SAKKE accused of having a backdoor?
Not using that term but by University College London researcher Steven Murdoch, criticised the centralised key escrow feature of its encryption design as potentially allowing "mass surveillance." The term 'backdoor' was then thrown at MIKEY-SAKKE by some commentators without justification. But access to keys is part of all centralised key management server designs. For a host of reasons, large organisations always need to access encryption keys for the same reasons they need to access all data and emails sent and received by employees. CESG even points out in its MIKEY-SAKKE FAQ that the ability to decrypt communication is as necessary for government IT as it is for many commercial organisations.
MIKEY-SAKKE, then, does allow lawful intercept because that has always bene one of its central design criteria. This does not mean that a securely implemented platform using MIKEY-SAKKE allows Government surveillance of an organisation's communications.
"You can't achieve interoperability unless you have aa flexible way off managing the keys. MIKEY-SAKKE is very flexible that can't be done with traditional models because you end up with the vendor or telco controlling everything," points out Nithin Thomas of SQR Communications, one of the UK firms involved in Secure Chorus. His firm's platform is Ceerus, which sister title Techworld included in its recent survey of secure messaging applications.
"The next challenge is going to be making sure be build the community of service providers for months and years to come. We also need to add more functionality such as video."
GCHQ Secure Chorus explained - what will happen next?
Secure Chorus is not a crowd-pleasing standard that will deliver the goodies in weeks or months. This is a complex area of software and development will take time. All the parties seem committed so Secure Chorus won't go away. We expect it to take years.
Thomas's point about service providers is important because a growing number of organisations want to host their systems in the cloud but with Secure Chorus that still needs to be done in a way that the key management administration is maintained by the customer.
Sign up for CIO Asia eNewsletters.