Identity-based public key cryptography

[M J D Brown]

On Mon 24 Dec, Peter Fairbrother wrote:

> Leaving aside my concerns about the cryptographic security of the IB-PKC, I
> still have grave reservations about it's suitability for use by the NHS.
> 
> Agreed that written medical records are not usually treated with security
> foremost in mind, but obtaining the written records of a selected patient
> would not usually be easy, or even possible, without a Court Order.
>  
> Computerised records, without remote access, in a Doctor's office, require
> no more than simple encryption to protect them against burglary or local
> compromise. The Doctor or Practice could locally escrow the keys to preserve
> authorised access following eg the death or disability of the Doctor.
> 
> In-transit records require more protection, but there are no real
> difficulties in providing this with traditional, non-escrowed systems. A
> telephone book of medical practioners' keys could easily be compiled, and a
> key authentication and revocation service established. It would even be
> straightforward to disallow transfers unless allowed by that service,
> without involving key escrow. It could also be searched online on an
> identity basis, and made user-transparent, if required.
> 
> If introduced the IB-PKC system would escrow these communications, and
> potentially open them to compromise by the CA. I can see no valid reason to
> centrally escrow only transfers. There may be reasons to escrow the whole
> system of records, but that is a different matter.

If NHS practitioners are provided with high quality cryptography *and* file
transit is via Internet connectivity, then it can be argued that escrowed
keys should be required.  Facilities with legitimate access to controlled
drugs must surely be considered as *potentially* liable to be involved in
illegal handling.

I do not think that the debate on this list has yet substantiated a need
for a signature capability, and at least one medical practitioner here has
indicated that he would not trust the validity of data provided by persons
that he did not know as individuals.  If signatures are not to be trusted
then we might just as well use a top-down key distribution arrangement,
recognising that cryptographic protection in transit outside the 'secure'
perimeters of medical offices was merely to protect against viewing by
non-medical personnel.

In the NHS context I agree that it is almost impossible to countenance
any use of IB-PKC that would not be otherwise met by conventional PK
methods.  But we should also recognise that the essential facility for
key revocation itself exposes a conventional PK system to DOS/DOTrust
attacks, since we must also postulate the compromise of the key
authentication and revocation centre.

I am inclined to think that the basis for secure transfer of files ought
to involve direct modem-modem dial-up connections with checking of CLI data
against an authorised list of medical office telephone numbers, followed by
a line drop and dial back arrangement.  Cryptography is probably essential
also, but the details should be deferred until the basic communications
protocol has been designed.

Mike.
-- 
M J D Brown: 2 Carters Close, Bretton, Peterborough PE3 9AW, England