Thanks - that looks sensible from an obsfucation p.o.v.
I knew that NHSX were using a CDN of some sort but the problem would still exist in that you can observe sessions and make deductions as to the nature of the data.
But CLOUDFLARE? And Palantir as the backend store on a peppercorn rent (supposedly £1/year).
Can it get any worse????
D
-----Original Message-----
From: Jon Crowcroft <[log in to unmask]>
Sent: 08 June 2020 15:26
To: Lake, David (PG/R - Elec Electronic Eng) <[log in to unmask]>
Cc: [log in to unmask]
Subject: Re: COVID Tracker and Network Security
you might want to look at the canadian hybrid design where they run onion routing/cover traffic mixnets
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmila.quebec%2Fwp-content%2Fuploads%2F2020%2F05%2FCOVI-whitepaper-V1-1.pdf&data=02%7C01%7Cd.lake%40surrey.ac.uk%7C21de68cb04ab4fcd4ef208d80bb7d992%7C6b902693107440aa9e21d89446a2ebb5%7C0%7C1%7C637272231540684522&sdata=OXnoA6NpkfusjZPUOXMRvlbmhznCGs5YCH7DFHaSLcE%3D&reserved=0
the NHSX service is load balanced by cloudflare... ... ...
On Mon, Jun 8, 2020 at 3:16 PM David Lake <[log in to unmask]> wrote:
>
> Hello NGN folk
>
>
>
> Whilst I am far from being a “security” expert, I have some concerns over the assertion from PHE that privacy can be maintained with their centralised app irrespective of the security methods put in place to protect the payload.
>
>
>
> PHE’s validation of their statement appears to be that:
>
>
>
> a) the data is anonymised and
>
> b) the data in encrypted.
>
>
>
> The problem I have is in ensuring that anonymising the data (which I assume gives each instance of the app something like a UUID) is enough to ensure that under no circumstances can the data or the clinical outcome be associated with an individual.
>
>
>
> Yes, the DATA is anonymised, but the SESSION isn’t – the central
> server will see the source IP address of the last
> proxy/P-GW/aggregation point and therefore anyone able to decrypt the
> data will be able to associate the source IP with the clinical outcome
> (e.g. COVID +ve) as they see it incoming to the server. Anyone
> observing the session could be able to deduce a COVID +ve result [1]
>
>
>
> Assuming a mobile connection, the P-GW will have a look-up between Tunnel ID (TEID) and the NAT mapping the internal private IP source address (the handset of the user) as a full session (SNAT and DNAT). P-GWs are typically mega-proxies so technically, this is PAT but still the tuple will be able to be associated with a session.
> The TEID is able be de-referenced in the HSS to an IMSI.
> The IMSI identifies the user and is linked to the customer record (name, address, payment details, etc).
> The IMSI also enables triangulation of the user.
>
>
>
> IMSI is never passed in-the-clear over the air in-order to protect privacy from RF snooping – attach of a handset uses a short-lived clear GUTI before IMSI registration takes-place and the GUTi is not held in the HSS. Full attach is rare – most re-registrations re-use cached encryption certs unless you’ve attached to a new network. [1] However, LI allows all of this information to made available.
>
>
>
> IP address allocation in the EPC is slow-moving – typically, users use the same handset IP address for long periods (usually you have to be de-registered for 1-2 weeks before you are allocated a new IP – this keeps control-plane traffic down).
>
>
>
> It appears therefore that with very little intervention it is possible to associate the data with the user. A malicious actor would need the ability to request data from the mobile operator but we know this is both technically and legally possible.
>
>
>
> I think the same holds true with home broadband.
>
>
>
> The source IP address is mapped to a DSLAM circuit The circuit is
> associated with the customer record.
> The customer record identifies the property and bill payer.
>
>
>
> In some respects this is less granular that the mobile use case as this would not identify the individual (assuming that mobile = individual), but in other cases, whereas 4G triangulation is only accurate to about 1km, this would identify a property.
>
>
>
> Mechanisms exist to extract the information from the SP such as LI and I am sure that public health-care service would also be subject to the same kind of access requests.
>
>
>
> Is there anyone on this group with knowledge/interest in this problem space?
>
>
>
> Thank you
>
> David
>
>
>
> [1] It is true that as the data remains encrypted, it would only be possible to deduce a relationship between a +ve test and the individual, but my guess, given that we have potentially 65 million people who would be generating data, the sessions will be kept to those who have +ve tests. Therefore I think it is reasonable to assume that data between a handset and the central server is carrying indication of a +ve response.
>
>
>
> The same issue seems to be apparent in the DP-3T [2] proposals which discuss how the Ephemeral IDs are only “uploaded” to the “backend” by the user once she is given an authorization code from the GP. There is therefore a strong correlation that traffic between a user and the backed (detectable from the tuple) would be carrying indication of a +ve test.
>
>
>
> [2]
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2FDP-3T%2F&data=02%7C01%7Cd.lake%40surrey.ac.uk%7C21de68cb0
> 4ab4fcd4ef208d80bb7d992%7C6b902693107440aa9e21d89446a2ebb5%7C0%7C1%7C6
> 37272231540684522&sdata=FUvXU78z64774e4WMtiE0AKC6P8OTE3zZaSX%2Bdd5
> 3z8%3D&reserved=0
>
>
>
>
> ________________________________
>
> To unsubscribe from the NGN list, click the following link:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DNGN%26A%3D1&data=02
> %7C01%7Cd.lake%40surrey.ac.uk%7C21de68cb04ab4fcd4ef208d80bb7d992%7C6b9
> 02693107440aa9e21d89446a2ebb5%7C0%7C1%7C637272231540684522&sdata=8
> J7hIL00Qp5tMiiZ1TeJalIQlxLMj4oe6YrWkur%2BgdE%3D&reserved=0
########################################################################
To unsubscribe from the NGN list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=NGN&A=1
This message was issued to members of www.jiscmail.ac.uk/NGN, a mailing list hosted by www.jiscmail.ac.uk, terms & conditions are available at https://www.jiscmail.ac.uk/policyandsecurity/
|