Messaging apps currently allow users to text message, voice call, video call and send images, videos and audio. However, these apps are evolving and becoming platforms that offer many more services such as ecommerce, fintech applications and connection to IoT devices. The emerging use of messaging apps for delivering enterprise services has created an increased requirement for strong data security, while introducing multi-stakeholder use-cases that can only be resolved by achieving interoperability between different messaging apps.
If we take the example of global organisations, regional offices in different countries are likely to use different brands of messaging app. Interoperability between these brands would allow the organisation’s internal communication to be simplified. More importantly, organisations would be able to communicate more efficiently with their business ecosystem of clients, suppliers, advisors and other parties.
Recent changes in regulation mean that security requirements must be addressed alongside messaging app interoperability. The EU General Data Protection Regulation (GDPR) means an organisation’s data security perimeter has expanded to cover wherever data may be processed. Data processing, in many cases, happens both inside and outside of an organisation due to remote workforces, outsourcing of services, or simply as a result of day-to-day business communication with external parties. The adoption of a universal interoperability standard (that mandates an approach to security solving the requirements of the GDPR) would substantially simplify data protection beyond the security perimeter of an organisation.
More choice, different business models
A widely adopted standard would also stimulate competition among messaging app vendors and may bring new opportunities for them in terms of product innovation. For enterprise users, this would mean more choice and new features.
The most common current business model of free messaging apps is to generate returns via data analytics. The adoption of a universal interoperability standard would likely require free messaging app vendors to rethink their business models. Laws and regulations have an impact on the ability to perform data analytics, as they dictate whether, how and under what circumstances messaging apps can transfer, process and/or receive certain data, including data shared between countries or regions, as well as data shared among a vendor’s portfolio of products and services.
In technical terms, interoperability could be underpinned by a universal messaging protocol. However, this only forms part of the picture. Enterprise users will require messaging apps that offer security and interoperability by design.
Phone-call hacking is a risk frequently overlooked. With the threat of faked caller ID and unauthorised network access, enterprise users can’t guarantee the identity of incoming calls, or be sure outgoing calls reach their intended recipients. Neither can they be certain that third parties accessing the enterprise networks are who they say they are.
This approach, therefore, will do away with the need to rely on commercial mobile network security, which may not be sufficient for sensitive data.
An open standard approach
Another approach is for developers to adopt a universal cryptographic protocol for messaging apps. This would require apps to be built with end-to-end encryption, with the result that enterprise users would no longer need to worry about networks providing sufficient security. It would then be possible to develop universal interoperability standards for all messaging apps containing the same cryptographic protocol.
However, when considering a universal cryptographic protocol, there are additional considerations. The protocol to be chosen at global scale would need to have specific technical characteristics that ensure enterprise users can benefit from interoperable messaging apps without having to allow third parties access to their security perimeter (such as providing private keys or giving access to essential infrastructure). Such a protocol would need to ensure that when third-party users outside of the enterprise’s own environment are allowed, only communications from fully identified third-parties are accepted and presented to users. The protocol would also need to enable the enterprise to have control over what type of data processing can, or cannot, occur between two organisations via an interoperable messaging app.
Secure Chorus has brought together a group of like-minded cybersecurity organisations. It is a non-for-profit membership organisation, serving as a platform for multi-stakeholder co-operation in the field of cybersecurity. Following two years of collaborative work, we have recently announced the completion of our first set of interoperability standards for encrypted voice calls that will be adopted by several developers of messaging apps.
Secure Chorus has achieved this through a strategy of UK government-industry collaboration, with industry members developing a number of messaging apps that use the same open cryptography standard: MIKEY-SAKKE. Its use has allowed industry co-operation on the development of interoperability standards for these messaging apps.
When it comes to open cryptography standards, one of the key benefits is that they have been formulated after much consideration by many different experts and can be better trusted than proprietary products that can’t be audited outside the company that has developed it.
2012 saw the UK government’s National Technical Authority for Information and Assurance – now the National Cyber Security Centre – define MIKEY-SAKKE as a protocol to answer the security requirements of the government for an identity-validating cryptographic method in official communications. This protocol was based on an existing standard for elliptic curve signatures – the Elliptic Curve Digital Signature Algorithm – and an identity-based cryptographic protocol developed by Japanese researchers Ryuichi Sakai and Masao Kasahara. MIKEY-SAKKE was made an open standard by the Internet Engineering Task Force, an organisation that develops and promotes voluntary internet standards.
MIKEY-SAKKE comes with a unique key management approach – Identity-Based Public Key Cryptography. Techniques pioneered in the protocol were designed to minimise the traffic overhead needed to exchange keys and to establish a secure data transfer between users, while largely removing the need for a public key infrastructure. Beyond its efficiency, it also has the advantage of helping to minimise infrastructure cost.
MIKEY-SAKKE is configured so that each user is attached to a Key Management Server (KMS) that distributes key information to the users it manages on a regular (typically monthly) basis. The existence of this KMS means that organisations have control over their own security system, without giving unauthorised third parties access to their data. It can also be managed entirely by an organisation’s IT team and can be kept offline for maximal security. This means that organisations keep control over their security system, while only those explicitly authorised by an organisation can access that organisation’s data. Any participant in a communication session can validate the origin of messages by validating the signature against the public key material of the KMS controlling that system, enabling secure communication between users controlled by different KMSs and beyond an organisation’s boundaries.
The completion of this first set of interoperability standards for encrypted voice calls specifically aimed at enterprise users sets the stage for the development of a universal interoperability standard for developers of messaging apps who see the benefit of adopting MIKEY-SAKKE open cryptography standards.
The inclusion of MIKEY-SAKKE brings with it other benefits for messaging apps developed according to Secure Chorus’s interoperability standards. They are highly scalable, requiring no prior set-up between users or distribution of
user certificates.
The Secure Chorus multi-year technology roadmap includes further development of interoperability standards for instant messaging, group calls, video calls, document sharing and many others to meet enterprise user requirements.