JISCMail - GP-UK Archives

Alan Hassey wrote
>
> I hate PS files.!!!

Andrzej Glowinski observed
>
> It is a de facto standard in the academic world. If you want to be
> part of this, there is little choice.


I make articles available in html where there is a demand - as with
the BMA Security Policy and the recent update to it - and where it is
feasible.  With the Euroclipper paper, it is not feasible, as there
are too many mathematical expressions in the text.

So here is a brief synopsis of what is wrong with Euroclipper. GCHQ
has not only specified it for securing interdepartmental email, but
they want it widely used in commerce, industry, the NHS - and indeed
in Europe. I am going to the OECD next month to try and persude them
that it would be disastrous to standardise on it. But I expect that
the government will keep on trying to use it regardless - I understand
that the incentives will include being able to file tax returns and
apply for government grants electronically. I expect that variants of
it will pop up in the encryption pilots we have been promised, so we
will have to reject them as unacceptable, unethical etc etc. Then Ray
Rogers will say that the BMA is being Luddite, etc etc. So here are
the facts:

(1) The design is extremely inefficient. Although public key
algorithms are used, with the resulting computational cost, the
functionality provided could be delivered much more cheaply using
secret key algorithms in a Kerberos-like protocol. In effect, the GCHQ
offering gives you the negative features of both public key and secret
key cryptography without the benefits of either.

(2) It won't scale. It might (just) sort of work in a universe of 25
government departments, each with 20,000 civil servamts under the
control of a single departmental security officer. It will not work in
a world of 12,000 separate healthcare provider organisations, most of
which have only a dozen or so staff, and almost all of whom are
responsible for controlling their own personnel.

(3) Keys are escrowed - but unlike in the American `Clipper' proposal,
where only the sender's version of the key was held (and held in two
pieces by two separate agencies), GCHQ proposes that both the sender's
and the receiver's key will be held (and in each case by his own
departmental security officer). This is just asking for abuse.

(4) GCHQ appears to propose setting up an infrastructure of escrowed
confidentiality keys first, and then using this to distribute
signature keys as required. This is an extremely bad idea, as the
departmental security officer will be able to get hold of the signing
keys of all the staff in that department. Incidentally, the crypto
custodians attached to the DSOs will be GCHQ personnel. This leads me
to ask whether that the real client for escrow is law enforcement - as
ministers claim - or the intelligence community.

Any policeman could tell you that while access to bank statements may
provide useful evidence, a system that enabled him to forge cheques
tracelessly would destroy whatever evidential value the statements
had. In the healthcare context, I do not think that any sane chief
constable would want his officers to be able to forge prescriptions.

(5) The keys issued to individuals are a deterministic function of
their names. So if your key is compromised, all your departmental
security officer can do is reissue you the same old compromised key.
To reestablish security you have to change your name. Also, the
frequent name changes of which government organisations seem so fond
will be even more expensive than at present.

(6) The compromise of the system's master keys would be disastrous,
and it appears impossible to do anything about this. Organisations
have often disregarded this risk, but shouldn't: I know of both banks
and satellite TV channels who had to reissue all their customer cards
after a master key compromise. Having to reissue keys to a million
health service workers would be both expensive and disruptive. Not
being able to rely on the signatures on the nation's electronic
medical records any more could have nasty consequences.

(7) The certificates that it is proposed to use have only a two digit
date field. The millenium bug will cause enough problems without
adding to them!

(8) The security labels on messages are sent in clear and there is
nothing to stop people changing them, for example, from `Top Secret'
to `Restricted - Management'.

This is by no means all. There are other problems I won't go into here
as they are a bit more technical.

However let me say that GCHQ's protocol is a disgraceful piece of
engineering; I would expect better from the average undergraduate
project. If this is their bext effort, then it is a matter of national
concern, as they are also responsible for the security of classified
defence and diplomatic traffic - and, one must assume, for the
cryptosecurity of our nuclear arsenal. If these systems are as bad,
then they are putting our soldiers' lives at risk, and quite possibly
our lives as well.

Ross


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%