How to mitigate impersonation cyber threats with identity-based crypto

How to mitigate impersonation cyber threats with identity-based crypto

MIKEY-SAKKE provides higher assurance for sensitive communications

Never heard of MIKEY-SAKKE? If not, you need to find out about it soon because it can help mitigate the threat from deepfake and AI-generated impersonation attacks. Our CTO, Dr. Andy Lilly, explains how.

The privacy of calls, messages and emails is an on-going challenge for government and enterprise organisations alike. The proliferation of remote working and mass-adoption collaboration platforms has completely changed the way that business is conducted in recent years. Add to this the rapidly growing threat from deepfake, and AI-generated impersonation-based attacks, and the need for protecting the digital identity at both ends of a communication becomes imperative. Despite the increasing threat levels  there are steps that organisations can take to provide higher levels of assurance for sensitive communications. Adopting products developed using the MIKEY-SAKKE standard and protocol for encryption and identity-based authentication means that you can mitigate the threat from impersonation-based attacks by being certain who you are communicating with.

Securing mobile communications – Confidentiality, Integrity, Authentication

When looking at securing mobile communications, be it voice, instant messaging, video or data, it is important for any solution to deliver three key outcomes. The first is confidentiality, i.e. ensuring no unauthorised person or machine can access the content of any data exchange. The second is integrity, ensuring that information, messages, attachments have not been tampered with. Third is authentication of identity, i.e. ensuring that the parties exchanging data – whether persons or machines – are doing so with the individual or the machine with which they believe they are exchanging data.

Sharing information securely with someone remotely is a more complex task than it at first appears.  Below we explain different techniques for using encryption keys to safely share data.

Traditional encryption – How encryption keys are managed 

Encryption of data passed between two parties requires an encryption key. However, the challenging part of a cryptographic protocol is deciding on a key to use for encrypting a particular set of data (for example, a voice call between two users). One method is called asymmetric cryptography, also known as public key cryptography: this uses the concept of a public and private key pair, encrypting the data with the public key, such that only the owner of the private key can decrypt it (thus also proving the recipient’s identity if they are the only holder of that private key). Each user’s application holds a private key within it which remains secret whilst their public key is made available to any other users who wish to encrypt a call or send a message to them.

However, there are disadvantages with typical implementations of public key cryptography in that it is cumbersome to scale in large organisations as public keys need to be distributed to all the users before encrypted communications can take place. To ease administration, organisations can use a central trusted server to store the public keys and users can then ‘look-up’ the public key of another user whenever needed. However, this requires the server to be always available 24×7 and fully secure, so no one can maliciously insert fraudulent keys.

Alternatives include one-time asymmetric encryption also known as ephemeral Diffie-Hellman. This method establishes a one-time key between two users; however, a disadvantage of this method is that it doesn’t prove the other user’s identity (so could be spoofed by a malicious hacker posing as the recipient, or acting as a man-in-the-middle between the two users) and is therefore reliant on another layer of complexity to prove authenticity of the end points.

MIKEY-SAKKE protocol – Secure multimedia communications

Secure communications are clearly needed across government and within regulated industries such as finance, telecoms, health, critical national infrastructure, defence and others. To this end MIKEY-SAKKE, an international standard RFC6509 defined by the IETF and expanded upon by the 3GPP for use in Mission Critical communications, has been adopted and is recommended by the UK’s National Cyber Security Centre (NCSC) for the development of products that enable secure, cross-platform multimedia communications.

The MIKEY-SAKKE protocol uses identity-based cryptography and is designed to enable secure, cross-platform communications by identifying and authenticating the end points. It is an efficient and effective protocol for building a wide range of secure multimedia services for government and enterprise organisations. As the capabilities of malicious actors embrace AI and deepfake technology, MIKEY-SAKKE is one reliable way to be sure that you know who you are communicating with.

Identity-based encryption and authentication

Identity-based encryption uses the publicly known identity of the communicating parties to determine the encryption keys to use. For example, a trusted domain management service provides a domain certificate giving any user within its system with the ability to take an input ‘identity’ and create a public key to encrypt data to the user with that unique ‘identity’. The identity could be a phone number, email address or other similar identifier. So the key to encrypt to the recipient doesn’t need to be pre-distributed to every possible contact, nor stored on a server; it can simply be generated “on the fly”, as needed.

Each user’s identity needs to be centrally verified, so that everyone in the system knows the identity is associated with a particular user. Using an existing unique identity (such as a mobile phone number) can provide a ready source for these identities. However, with a system such as Armour Mobile™, any unique identifier can be used, and the option to use something other than a mobile phone number can add an extra level of security. The recipient, provisioned with the private key for their unique identity, can then decrypt the calls and messages sent to their identity. As a result, anyone can securely communicate with any user in the domain without having to individually exchange any prior information between the users.

Scalable, flexible and complete control

Armour’s identity-based encryption solution Armour Mobile™ delivers the flexibility, convenience and security required for fast-paced communications from any location and any device. As secure registration is established using a single message, the Armour® identity-based encryption solution is highly scalable and flexible, while providing the higher assurance that only known and approved individuals can be enrolled into a secure communications community.

The Armour platform supports both real-time communications such as one-to-one and group conference calls (both voice and video), and deferred delivery such as instant messaging, group chats, documents and voicemail. It is designed to be centrally-managed, providing communications domain managers with full control of the security of the system while maintaining high availability.

With Armour Mobile, activation and revocation of users is handled centrally. Should a person change roles or leave the organisation or a device be lost, stolen or compromised, the data held on the device within the Armour ecosystem can be securely wiped remotely.

In addition, the Armour platform provides a wealth of other enterprise-grade features not provided by mass-adoption collaboration platforms, such as archive and audit capabilities to securely store and review communications at a later date (using processes compatible with higher assurance requirements). This capability enables organisations to comply with industry regulations and meet data privacy requirements, as well as public record and Freedom of Information requests.

A new approach

Securing modern methods of communication and collaboration requires a new approach. Various forms of public key infrastructure have attempted to provide usable and scalable, client-to-client security. However, these processes have often been cumbersome and the driving factor behind frustrated users adopting less than secure practices in order to ‘get their job done’, thus creating a weak link in the security chain.

Identity-based encryption avoids having to tie a user to a hard-to-remember-and-exchange public key, instead the user’s identity ‘becomes’ their public key. Armour Mobile provides a feature-rich, secure communications and collaboration platform that provides the higher assurance offered by products that use the MIKEY-SAKKE protocol, with a user-experience to match consumer-grade apps.

Security should not be seen as a hindrance but as a significant component of the overall culture of an organisation and as a business enabler that can allow innovation by supporting modern working practices.

For more information about MIKEY-SAKKE visit:  https://www.ncsc.gov.uk/articles/using-mikey-sakke-building-secure-multimedia-services   

  • How to mitigate impersonation cyber threats with identity-based crypto
  • How to mitigate impersonation cyber threats with identity-based crypto
  • How to mitigate impersonation cyber threats with identity-based crypto
  • How to mitigate impersonation cyber threats with identity-based crypto
  • How to mitigate impersonation cyber threats with identity-based crypto
  • How to mitigate impersonation cyber threats with identity-based crypto
  • How to mitigate impersonation cyber threats with identity-based crypto
  • How to mitigate impersonation cyber threats with identity-based crypto