Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police
The system would encrypt messages use a pre-defined random number that only a select few would know.
As telecom companies prepare for the day when phone calls are counted in megabytes and not minutes, yet another contentious encryption debate is looming: how to secure subscribers' voice conversations, while balancing law enforcement's need to eavesdrop when needed.
For Canadian telecom company Rogers and equipment maker Alcatel-Lucent (now Nokia), one option was a so-called backdoor, a secret key of sorts that could decrypt otherwise secure communications, and that theoretically only law enforcement could use.
In 2012, the two companies came up with a lawful interception proposal for a next-generation voice encryption protocol, known as MIKEY-IBAKE. The protocol was designed to protect conversations end-to-end—that is, no one sitting in the middle of a call's network connection could eavesdrop on what was being said.
Unless you were law enforcement, that is. For them, there was an exception, a backdoor. But there's a problem with this scenario: a backdoor for law enforcement has the potential to be exploited by others, which is why, amongst security professionals, backdoors are so vehemently opposed.
"In the US, this has been the debate. Are we going to backdoor communications? We simply haven't had that debate here," said Christopher Parsons, a post-doctoral researcher at the Citizen Lab, which belongs to the University of Toronto's Munk School for Global Affairs. "It seems as though we have carriers and vendors who are looking for ways to subvert that without bothering to deal with the politicians."
The documents detailing the Rogers and Alcatel-Lucent proposal are related to documents analyzed last month by Steven Murdoch, a Royal Society University Research Fellow in the Information Security Research Group of University College London. Murdoch's analysis described an encryption protocol related to MIKEY-IBAKE that had been modified—backdoored—by the UK intelligence agency GCHQ.
On the one hand, telecom providers have no choice but to opt for stronger encryption (and, to be clear, this is a good thing). At present, "land-line calls are almost entirely unencrypted, and cellphone calls are also unencrypted except for the radio link between the handset and the phone network," wrote Murdoch, in his recent analysis of GCHQ's backdoored cellular encryption scheme.
On the other, more widespread use of encryption has drawn the ire of law enforcement. The FBI famously described Apple and Google's efforts to increase user data protections as making evidence go "dark." And because various jurisdictions—including Canada and the US—include wiretap provisions as a condition of having access to wireless spectrum, employing protections that also stymie law enforcement isn't so cut and dry.
"These lawful intercept requirements are harming security," Murdoch said in an interview. "They're preventing the deployment of security in order to facilitate surveillance, and that's not really a debate that's been discussed."
The Rogers and Alcatel-Lucent proposal was introduced during a meeting of the 3rd Generation Partnership Project's lawful interception working group in 2012. The 3GPP is an organization that develops standards that dictate how much of the world's cellular infrastructure works, including 4G and LTE (draft documents of the proposal are available on its website, but the final proposal is not).
At that meeting, which was held in Barcelona, Rogers and Alcatel-Lucent proposed an approach to encryption where, instead of protecting communications using a random number generator the system would use a pre-defined "pseudo-random number generator," or a secret number, that only a telecom provider or network operator would know.
Because all messages would be encrypted using this pre-determined number, anyone that discovered the number could decrypt any message they wanted.
"We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers"
The proposal was described by Parsons and fellow Citizen Lab researcher Andrew Hilts last year, in a report for the the Telecom Transparency Project (Parsons is its founder), but received little notice at the time.
"The Rogers/Alcatel-Lucent solution would let a [telecom service provider] either decrypt traffic in real time or retroactively decrypt traffic that had been encrypted using the [pseudo-random number generator]," the pair wrote in their 2015 report on the telecommunications surveillance. "As such, their proposal would effectively undermine the core security design decisions that were 'baked' into MIKEY-IBAKE."
"This should be a public discussion. This shouldn't be something that's buried away in a pretty cloistered standards environment," said Parsons, who called the proposal "worrying." Canadian Parliament has yet to engage in the sort of encryption debate currently taking place in the US.
"We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers," Parsons continued. "And this all comes after Canada has passed numerous legislature that deals with security and surveillance, none of which, to my mind, explicitly clarify whether or not this kind of decryption on the fly would be required."
The encryption protocol proposed by Rogers and Alcatel-Lucent was actually previously rejected by the UK government's spy agency agency GCHQ for being too difficult to eavesdrop on. Instead, GCHQ proposed an alternate standard, MIKEY-SAKKE, which can be more readily intercepted. The UK government has been promoting adoption of the standard in both government and commercial products.
MIKEY-IBAKE, meanwhile, does not appear to have been implemented. Leonard Pesheck, a spokesperson for Nokia (which recently purchased Alcatel-Lucent), wrote in an email that "the MIKEY-IBAKE proposal we submitted to 3GPP SAE for standardization was not accepted and we therefore did not pursue product plans."
Rogers spokesperson Jennifer Kett also confirmed the company brought forward the MIKEY-IBAKE proposal, but "ultimately that proposal was not adopted."
"As you can appreciate, in order to best protect our customers and as a condition of our licenses, we don't publicly disclose our security practices," Kett wrote in an email.
If those practices include backdoors, however, it's only a matter of time before others disclose them first.