Alan Hassey wrote > > I hate PS files.!!! Andrzej Glowinski observed > > It is a de facto standard in the academic world. If you want to be > part of this, there is little choice. I make articles available in html where there is a demand - as with the BMA Security Policy and the recent update to it - and where it is feasible. With the Euroclipper paper, it is not feasible, as there are too many mathematical expressions in the text. So here is a brief synopsis of what is wrong with Euroclipper. GCHQ has not only specified it for securing interdepartmental email, but they want it widely used in commerce, industry, the NHS - and indeed in Europe. I am going to the OECD next month to try and persude them that it would be disastrous to standardise on it. But I expect that the government will keep on trying to use it regardless - I understand that the incentives will include being able to file tax returns and apply for government grants electronically. I expect that variants of it will pop up in the encryption pilots we have been promised, so we will have to reject them as unacceptable, unethical etc etc. Then Ray Rogers will say that the BMA is being Luddite, etc etc. So here are the facts: (1) The design is extremely inefficient. Although public key algorithms are used, with the resulting computational cost, the functionality provided could be delivered much more cheaply using secret key algorithms in a Kerberos-like protocol. In effect, the GCHQ offering gives you the negative features of both public key and secret key cryptography without the benefits of either. (2) It won't scale. It might (just) sort of work in a universe of 25 government departments, each with 20,000 civil servamts under the control of a single departmental security officer. It will not work in a world of 12,000 separate healthcare provider organisations, most of which have only a dozen or so staff, and almost all of whom are responsible for controlling their own personnel. (3) Keys are escrowed - but unlike in the American `Clipper' proposal, where only the sender's version of the key was held (and held in two pieces by two separate agencies), GCHQ proposes that both the sender's and the receiver's key will be held (and in each case by his own departmental security officer). This is just asking for abuse. (4) GCHQ appears to propose setting up an infrastructure of escrowed confidentiality keys first, and then using this to distribute signature keys as required. This is an extremely bad idea, as the departmental security officer will be able to get hold of the signing keys of all the staff in that department. Incidentally, the crypto custodians attached to the DSOs will be GCHQ personnel. This leads me to ask whether that the real client for escrow is law enforcement - as ministers claim - or the intelligence community. Any policeman could tell you that while access to bank statements may provide useful evidence, a system that enabled him to forge cheques tracelessly would destroy whatever evidential value the statements had. In the healthcare context, I do not think that any sane chief constable would want his officers to be able to forge prescriptions. (5) The keys issued to individuals are a deterministic function of their names. So if your key is compromised, all your departmental security officer can do is reissue you the same old compromised key. To reestablish security you have to change your name. Also, the frequent name changes of which government organisations seem so fond will be even more expensive than at present. (6) The compromise of the system's master keys would be disastrous, and it appears impossible to do anything about this. Organisations have often disregarded this risk, but shouldn't: I know of both banks and satellite TV channels who had to reissue all their customer cards after a master key compromise. Having to reissue keys to a million health service workers would be both expensive and disruptive. Not being able to rely on the signatures on the nation's electronic medical records any more could have nasty consequences. (7) The certificates that it is proposed to use have only a two digit date field. The millenium bug will cause enough problems without adding to them! (8) The security labels on messages are sent in clear and there is nothing to stop people changing them, for example, from `Top Secret' to `Restricted - Management'. This is by no means all. There are other problems I won't go into here as they are a bit more technical. However let me say that GCHQ's protocol is a disgraceful piece of engineering; I would expect better from the average undergraduate project. If this is their bext effort, then it is a matter of national concern, as they are also responsible for the security of classified defence and diplomatic traffic - and, one must assume, for the cryptosecurity of our nuclear arsenal. If these systems are as bad, then they are putting our soldiers' lives at risk, and quite possibly our lives as well. Ross %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%