Data Sharing Review

Ian Batten ukcrypto at chiark.greenend.org.uk
Thu, 17 Jul 2008 14:52:45 +0100 

> is it a nice bridge?
> i don't believe that i just think that biometric keys are easier for
> the general public to use rather than having everyone remember their
> huge passphrase

But you're confusing keys with encryption.  A fingerprint reader  
doesn't prove that the disk is encrypted under that key any more than  
a BIOS password does.  Indeed, fingerprint readers on most laptops are  
implemented precisely as BIOS passwords: the machine won't boot  
without the key, that's all.

>
> i seem to remember someone saying that if you can remember your
> passhrase it prolly isn't long enough

That person was wrong.  It presumes that the threat to your  
information is a brute force attack on your passphrase or on your  
underlying cipher system.  It rarely is.  It's much easier to obtain  
your key by stealth or threat, or wait for you to decrypt the data and  
look at it then, or find the decrypted copy that you keep for  
convenience.

>>
> No system is ever going to be 100% secure the idea would be to raise
> the bar to stop it being profitable for all and sundry to get access
> and yes i always taught my juniors to at least call back to go through
> someone's reception to try and validate a cold call and never give out
> info.

So, how do they do that?  Do they take the calling institution's name,  
look that up in a phone book which contains only trusted institutions,  
call that number, and ask to speak to the original caller by name?    
Do they look it up in the general phone book?  Or do they just ask the  
caller for a number, dial it, and hope it answers ``Flurble Clinic,  
how may I help you?''?

>
>
> Because most people will hand over passwords for chocolate to
> strangers conduction a "survey" in a train station should we stop
> using passwords

Yes.  That's why all our remote access is secured with tokens, all  
access to our sensitive systems on-site is secured with tokens, we're  
shortly going to make access to all the systems in our helpdesk/NOC  
environment be thin clients secured with tokens, and as we're rapidly  
approaching the point where 100% of our staff will have been issued  
with tokens we're seriously considering making all access require  
one.  I'm kicking myself for selecting SecureID over Vasco, for  
various reasons, but I am where I am and once I've bought ~600  
licenses I may as well get best value from it.

>>
>> No, by logging onto the machine and then leaving it to the junior  
>> staff.  Or
>> are you proposing a system where I have to keep my finger on the pad
>> continuously?  That's going to be a pain to use.
>
> No, just everytime you access the system to use the key escrow, then
> the system will know that you looked at that record at that time so
> when it comes to be audited there is the necessary trail.

Have you actually been involved in a large-scale, record-level audit?   
How effective was it?
>
> social problems require societal solutions.

I meant ``social problems'' as in ``problems which are caused by the  
ease of social engineering''.

> audit audit audit

What proportion of access to records is illegitimate, in the sense of  
``by nefarious individuals bent on causing the subject of the accessed  
record harm'' --- let's leave strong views on bulk access for research  
to one side for the moment?  I suspect the answer of the order of one  
in a million: there are hundreds of millions of accesses to records in  
a year, and my guess would be `hundreds' of serious illegitimate ones  
--- blackmail, family rows, that sort of thing.  Grant me a few orders  
of magnitude of leeway: maybe it's as high as one in ten thousand.

Now, outline an audit regime which will find a one in a million (one  
in ten thousand, whatever) event.  How many records would you need to  
audit, and how accurate would your diagnostic need to be, in order to  
do this reliably?

> please don't be too focused on the biometrics
> it just seems a less bad  option where people forget to carry
> smartcards

You send people home if they don't come to work able to do their job.   
After a few repetitions you sack them.  The rest of the staff would  
get the hint.  It's no different to ID cards: you don't permit staff  
to work in hospitals without ID, do you?  Ah...

If the smartcard is properly linked to a PIN, it's reasonable in fact  
to keep them in a key safe and issue them against a photograph.  In  
fact, that's quite a good procedure: people arrive on the premises at  
the start of their working day, draw their token from security against  
a photographic register, use it during the day and then return it at  
the end of the day as part of leaving the premises.

> or can't remember a password more secure that "password1"

In call centres, maybe.  If someone with a graduate level job can't  
remember a reasonably complex pass phrase, you've got deeper problems.

Trust has
>> nothing to do with cryptography: that you have encrypted my records  
>> AES256
>> is of no value unless you can prove that only I hold the key.  You  
>> can't.
>> End of.
>>
>
> ever?
> <facetious>
> even with an id chip buried in your iliac crest carrying your random
> generated passphrase or your dna as passphrase
> </facetious>

Prove that no-one else has a copy of that data.  Write on only one  
side of the paper at once.  Prove the mechanism by which the data is  
extracted from the chip to be used legitimately cannot be subverted  
and used illegitimately.

>
>
> my point is that the government are hell-bent on having a centralised
> database containing patient records in England and Wales.
> Scotland will do what we normally do and wait to see what happens.
> Are you of the opinion that no control on the data is better than  
> some?

See next mail.

ian