Understanding MIKEY-SAKKE
MIKEY-SAKKE serves as a protocol aimed at government agencies and related organizations, facilitating secure multimedia communications across various platforms.
Advantages of MIKEY-SAKKE
MIKEY-SAKKE is notably scalable, requiring no initial user setup or distribution of certificates. Its flexibility accommodates real-time communications such as voice calls, conference calls, and deferred communications like messaging and voicemail. Furthermore, it is designed to be centrally managed, allowing a domain manager full oversight of security processes while ensuring high availability as calls can occur without relying on a centralized architecture.
Purpose of MIKEY-SAKKE
MIKEY-SAKKE is tailored for deployment within enterprise contexts, especially governmental environments. Similar to enterprise solutions like Blackberry’s Enterprise Server and Microsoft’s Active Directory, it necessitates centralized management via a ‘Key Management Server’ (KMS). Post-setup, it provides secure communication for members of government departments or organizations by furnishing them with necessary key materials. It’s crucial for the enterprise to manage the security of the system entirely through the KMS.
Origin of MIKEY-SAKKE
The necessity for MIKEY-SAKKE arose from the recognition by NCSC of a UK government requirement for secure means of communication. An open protocol was established to enable companies to develop compatible solutions that meet governmental needs while fostering functional competition.
NCSC’s Definition of MIKEY-SAKKE
The NCSC delineated MIKEY-SAKKE through an identity-based cryptographic framework introduced by Japanese researchers SAKAI and KASAHARA in 2003. Utilizing the established Sakai-Kasahara (SK) scheme for identity-based public key cryptography (IDPKC), it employed the elliptic curve digital signature algorithm (ECDSA) for authentication, making minor adjustments for better integration with the Sakai-Kasahara protocol. These protocols were merged into the MIKEY framework to facilitate secure VoIP functionalities.
Does NCSC Develop MIKEY-SAKKE Solutions?
No, NCSC does not develop solutions based on MIKEY-SAKKE. Instead, the industry creates independent implementations adhering to this open standard.
Intended Users of MIKEY-SAKKE
MIKEY-SAKKE was principally designed for governmental secure communications. It is applicable in situations where civil servants engage in discussions involving sensitive governmental matters, covering a broad spectrum of applications including public safety. Consequently, employers may necessitate the capacity to audit secure communications through a managed and logged system, crucial for upholding accountability within the government. For instance, in cases where a police officer’s conduct is examined, the police force must have the exclusive capability to decrypt the officer’s communications.
Potential MIKEY-SAKKE Users
In addition to governmental bodies, security-conscious enterprises from various sectors, such as finance, legal, and healthcare, have expressed interest in MIKEY-SAKKE due to its robust security features.
Security of MIKEY-SAKKE
MIKEY-SAKKE is deemed secure when appropriately implemented. The NCSC assures that a properly configured system can guard against communication breaches, even from highly skilled adversaries. This is why NCSC employs it and advocates for its broader adoption among UK government entities. Nonetheless, if the KMS becomes compromised, the integrity of all user communications it manages will be at risk. This is a common concern across all centralized systems, such as Microsoft’s Active Directory and Blackberry’s Enterprise Server. Therefore, it is essential that the KMS is under the control of the system owner who oversees the protected communications and that it is deployed effectively to mitigate any KMS compromises.
Deploying MIKEY-SAKKE in Standard Scenarios
To avoid vulnerabilities associated with KMS, it is advisable to position the KMS in a secure manner that minimizes the risk of access by attackers. The simplest strategy is to operate the KMS in ‘offline mode,’ where it resides on a laptop that remains disconnected from any network, secured in a designated location. Encrypted user keys can then be transferred from the offline KMS to clients (e.g., via DVD uploads to a distribution server). By using this approach, the KMS is safeguarded against cyber threats as attackers cannot transmit data to it.
Deploying MIKEY-SAKKE in Larger Contexts
For more extensive deployments, utilizing a Hardware Security Module (HSM) for the KMS behind a security diode is advisable. This diode permits only specified data flow from the KMS while blocking any inbound data. To further enhance KMS security, key materials can be distributed across multiple servers, necessitating multiple compromises for successful attacks. Importantly, the KMS is the sole component managed by the system owner autonomously, while communications amongst clients can be securely channeled through external VoIP services offered by ISPs or mobile network operators.
Support for Audit and Lawful Interception in MIKEY-SAKKE
Yes, audit and lawful interception capabilities are built into MIKEY-SAKKE, subject to departmental or organizational approval. This feature is imperative for governmental use. To perform an audit of encrypted communications, an organization can export a user-specific and time-limited key from the KMS. This key facilitates decrypting communications for that particular user over a specific timeframe (e.g., monthly), with the KMS logging the process for accountability.
Does the Audit Function Enable Mass Surveillance?
No, as commercial KMSs typically only provide time-limited keys for single users. The system owner has authority over their KMS and can thus regulate the audit functionality. Audit is not feasible without the system owner’s cooperation. If a pertinent warrant is issued for lawful interception requests (e.g., for insider trading investigations), the organization has the discretion to determine whether to issue the user-specific and time-limited key needed for such inquiries.
Is the Audit Feature a Backdoor?
No. Requesting a login password is not considered a ‘backdoor’ into your device. The audit mechanism is merely an available feature for the system owner, which may be activated or deactivated according to organizational policies. If the organization does not see the need for it, the system owner has the option to withhold the user key material. Thus, no one except authorized individuals can decrypt organizational communications, ensuring that no ‘backdoor’ exists.
Are Keys Escrowed to GCHQ?
No, there is no key escrow to GCHQ.
Should Organizations Use MIKEY-SAKKE Without Trust in KMS Management?
No. It is essential that the KMS is managed by a trustworthy entity, as it oversees your keys and the security of your communications.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/mikey-sakke-frequently-asked-questions
