What is Secure Chorus? GCHQ's new encrypted voice and video standard explained

As secure video and voice apps spread, interoperability is the new goal

It's not often that UK organisations have banded together to create a security standard with global significance but that is what appears to be happening with a new GCHQ-backed initiative called Secure Chorus, announced on 15 February 2016 at the Mobile World Congress (MWC).

The website outlining Secure Chorus is still pretty sparse when it comes to technical explanation so we thought we'd look a little deeper at what it is being proposed and what influence it might come to have on

What is Secure Chorus?

Secure Chorus is intended to provide a foundation of interoperable standards for the emerging business market for secure voice, video, conferencing, IM and file transfer applications. Secure Chorus refers to the common protocols that will be adopted and developed by a non-profit consortium of the same name.

What applications will be affected?

In short, voice, video and (usually) email and text messaging. In the consumer space the market is served to varying levels of security by WhatsApp, Facetime, Skype, Telegram and many others. Businesses want similar end-to-end security but more suited to the need to manage security centrally and without the sort of uncertainty and security weaknesses that afflict consumer apps. It's early days for the business market but a range of mainly startup firms has started developing the often complex communications platforms required.

Why is Secure Chorus needed?

Currently, the small number of vendors offering this kind of software to enterprises develop within their own proprietary islands, which in time will start to hurt the market with inconvenience and higher costs. Businesses also need interoperability, which stops them being trapped with one vendor's technology, especially if that firm is later acquired. Not all platforms support all security features and can't offer a basic level of security when connecting to one another.

Who is backing it?

The release mentions Armour Communications, BT, CESG (GCHQ's security evaluation wing), Cryptify, Cyber Y, Finmeccanica UK, Samsung, SQR Systems and Vodafone. The unusual aspect of this list is that with the exception of Samsung and Cryptify, all of these names are UK organisations, including two startups. CESG is a wing of GCHQ, which gives the initiative weight in the UK government sector and in all likelihood far beyond. Other members are expected to join.

Why so UK-oriented?

The UK currently seems to have plenty of encrypted communications expertise on hand. The Government is not alone in thinking that UK firms, including those in its supply chain, should start using security communications platforms and CESG is pushing that as a requirement. The UK was also a leader in the development of mobile voice and data standards such as 3G and 4G.

What standards are included in Secure Chorus?

We quote from the press release: "Secure Chorus is built upon Identity-based Public Key Cryptography (IDPKC) with MIKEY-SAKKE and ECCSI at its core (RFCs 6507 and 6509). These modern standards permit flexible and dynamic security associations to be made without the costs associated to public key infrastructure such as X.509 certificates and online certificate authorities. Instead, users' identifiers (such as their phone number) are used as their public keys."

According to the CESG, Secure Chorus will initially focus on secure voice communications before moving on to video at a later stage.

But Wasn't MIKEY-SAKKE accused of having a backdoor?

Not using that term but by University College London researcher Steven Murdoch, criticised the centralised key escrow feature of its encryption design as potentially allowing "mass surveillance." The term 'backdoor' was then thrown at MIKEY-SAKKE by some commentators without justification. But access to keys is part of all centralised key management server designs. For a host of reasons, large organisations always need to access encryption keys for the same reasons they need to access all data and emails sent and received by employees. CESG even points out in its MIKEY-SAKKE FAQ that the ability to decrypt communication is as necessary for government IT as it is for many commercial organisations.

MIKEY-SAKKE, then, does allow lawful intercept because that has always bene one of its central design criteria. This does not mean that a securely implemented platform using MIKEY-SAKKE allows Government surveillance of an organisation's communications.

Expert comment

"You can't achieve interoperability unless you have aa flexible way off managing the keys. MIKEY-SAKKE is very flexible that can't be done with traditional models because you end up with the vendor or telco controlling everything," points out Nithin Thomas of SQR Communications, one of the UK firms involved in Secure Chorus. His firm's platform is Ceerus, which sister title Techworld included in its recent survey of secure messaging applications.

"The next challenge is going to be making sure be build the community of service providers for months and years to come. We also need to add more functionality such as video."

GCHQ Secure Chorus explained - what will happen next?

Secure Chorus is not a crowd-pleasing standard that will deliver the goodies in weeks or months. This is a complex area of software and development will take time. All the parties seem committed so Secure Chorus won't go away. We expect it to take years.

Thomas's point about service providers is important because a growing number of organisations want to host their systems in the cloud but with Secure Chorus that still needs to be done in a way that the key management administration is maintained by the customer.

Secure Chorus also needs more members. Buy-in across the industry will be important and that will need to include US vendors in time if it is to have any chance of succeeding.

A more detailed explanation of Secure Chorus can be found on the CESG website.

Join the CSO newsletter!

Error: Please check your email address.

More about GCHQSamsungSkypeVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place