Hi
Alan Hassey and I thought we ought to tell the list about an attempted
attack on PGP encrypted traffic involving me, him and two other GPs.
About two weeks ago, Alan was about to send me a PGP key, and so when
I received a key containing a version of his email address I added it
to my keyring. I reckoned I would get a chance to certify it at the
Cambridge workshop.
Then on the 19th June, I received some encrypted email from Alan that
had also been copied to two other people. I replied, and since the key
was uncertified I did not include anything particularly sensitive -
the traffic was just about how certain things at the Cambridge
workshop should be presented.
That evening I got an email from Alan complaining that he had been
unable to decrypt my email. It turned out that the key I had received
from him had been generated `by persons unknown', as the police would
say. This attack is well enough known in theory, but it is the first
time I have encountered it in practice! I have had the relevant email
logs chased up, but they do not contain enough information to trace
the forger of the message.
So who did it?
It could have been a student prank, and given that we have hosted
people from the NSA and a number of other intelligence agencies at the
Isaac Newton Institute over the past six months, it could have been
any one of maybe half a dozen foreign countries whose spooks have had
logons. It could also have been J. Random Hacker with a packet sniffer
on the ethernet, or even somebody at demon.
But on applying the test of `Cui Bono?', I suspect that this may have
been an attempt by the UK intelligence community (or someone else
acting at the best of the NHS Executive, the DTI or some other
government body) - wishing to discredit my suggestion that PGP could be
used to protect clinical information.
If that was the case, it backfired. They got no sensitive material and
their attack was detected on the first day that I was induced to make
tentative use of the alien key. The detection was by Alan - a GP with
no security training.
The moral is that PGP does, as its name suggests, provide pretty good
privacy. By forcing user input to key management, it generates
awareness of what is going on. This keeps users inside the security
loop in a way that one might not find with the automated key
management systems being proposed by the NHSE.
Ross
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|