Identity-based public key cryptography

[Peter Fairbrother]

Merry Christmas, everyone!

Leaving aside my concerns about the cryptographic security of the IB-PKC, I
still have grave reservations about it's suitability for use by the NHS.

Agreed that written medical records are not usually treated with security
foremost in mind, but obtaining the written records of a selected patient
would not usually be easy, or even possible, without a Court Order.



Computerised records, without remote access, in a Doctor's office, require
no more than simple encryption to protect them against burglary or local
compromise. The Doctor or Practice could locally escrow the keys to preserve
authorised access following eg the death or disability of the Doctor.

In-transit records require more protection, but there are no real
difficulties in providing this with traditional, non-escrowed systems. A
telephone book of medical practioners' keys could easily be compiled, and a
key authentication and revocation service established. It would even be
straightforward to disallow transfers unless allowed by that service,
without involving key escrow. It could also be searched online on an
identity basis, and made user-transparent, if required.

If introduced the IB-PKC system would escrow these communications, and
potentially open them to compromise by the CA. I can see no valid reason to
centrally escrow only transfers. There may be reasons to escrow the whole
system of records, but that is a different matter.

The use of IB-PKC for transfers would allow access to plaintext by the CA,
and the minimal benefits of IB-PKC in this case (actually I can't think of
any benefits - ease of use doesn't apply, nor does being able to send to
those who haven't set up a decryption key) do not even begin to outweigh
it's other problems, eg key revocation is impossible, no sender
authentication, poor recipient authentication, single point of attack and
lack of signatures. And spoofing Doctors to send records, which can be
decrypted, of selected patients.




A much larger question arises regarding access to the Practice's records (or
a larger centralised record base) without the individual and immediate
knowledge, control and consent of the Doctors involved. If those keys are
held by Doctors (or the Practice) then accesses can be monitored and
controlled by the Doctors involved. I trust most Doctors, but I don't trust
some, and I wouldn't consult them or trust them to keep my records
confidential.

If the whole system is computerised, and the system opened to outside access
and compromised eg by "key escrow", it becomes a matter of a few moments
work to obtain the records of a specific patient.

To obtain a list of HIV+ patients, or those previously treated by Prison
Doctors, or those treated by Psychiatrists who specialise in paedophilia, or
even old ladies living alone, with private Doctors, ripe for robbery or
unneeded roof repairs, would also be simple, whereas it would be nearly
impossible under the present system.

This is a qualitative difference in availability.

If a (reverse) IB-PKC system (or any other escrowed system) is introduced
for this purpose (for authentication of unsupervised requests, and yes, it
can easily be done) then no records will be safe against compromise by the
CA, or it's cronies, or it's attackers.



And I still don't think IB-PKC is safe against lxTHe HaXXors. And especially
big ones.




A much better way of commissioning cryptosystems is to define your access
permissions, threat model and other requirements first, then design the
protocols and algorithms. Anything else, especially adopting the newest,
"coolest" system, or giving access control to an administrator or escrow
agency, is likely to result in disaster. In any hierarchical situation the
people at the bottom should physically control who above them has access to
their data, not the people above.*

I am also an avocate of publishing both the access permisions, threat model,
protocols and algorithms well in advance of implementation, so they can be
criticised, but this is probably against NHS policy. Even NSA, GCHQ and CESG
have all made simple mistakes before now.


-- (A Merry) Peter Fairbrother


* email me if you want to know why.

> M J D Brown wrote:
> 
> I think that we may be collectively misinterpreting the semantics of Public
> Key in this context.  I have just returned from the IMA Cryptography and
> Coding Conference at Cirencester at which Clifford Cocks gave a lucid talk on
> this topic.  Its intended application would appear to fit best in an
> environment where there is an organisational structure linking the various
> participants and the CA represents some level of command.  I do not think that
> it addresses the Joe Soap Public environment where nobody, rightly,
> acknowledges fealty towards a higher authority.
> 
> It is a debatable question, however, into which category an NHS application
> belongs.  Whilst it is true that individual medical practitioners enjoy a
> professional independence, I would argue that they are no more than trustees
> of their portions of the overall database.  As a user of the NHS I would not
> like to think that my records were no safer in their integrity than the
> dubious reliability of a typicle office PC installation with its customary
> cavalier approach to taking daily off-site backups.  Candidly, having seen the
> way in which paper records are typically handled in GP offices, I am not over
> bothered by the confidentiality aspect of their computer storage.
> 
> [other good technical discussion points omitted]
> 
> Mike.