next up previous
Next: Order of introducing encryption Up: No Title Previous: Cost Estimates

Key Escrow

As mentioned above, the question of `trusted third parties' is the main policy issue before the cryptologic community at present, and this is part of the wider issue of key escrow. Should cryptographic keys be held in `escrow', which means using some mechanism (that might involve third parties) so that the cryptography becomes transparent to law enforcement and other government agencies?

The US government has made four significant attempts so far to get users of cryptography to adopt key escrow of one kind or another. The TTP initiative is merely the latest of these; the history of this project in the USA, and the national policy concerns behind it, are described in a recent report from the US National Academy of Sciences [27].

As the NHS's strategy document offered advice on the ramifications of adopting cryptography, its views on escrow would have been of great interest. But `escrow' is not discussed; instead, a euphemism (`key recovery') is used, and on p 58 the strategy document states that `NHS should consider ... whether it wishes to implement the key recovery capability within it or not'. The implication that I, as a security professional, drew from this wording is that escrow will be implemented and that the only question is whether the keys will be held by the NHS or by another government department such as GCHQ.

In response to this, the statement [86] was made that `Nowhere do we state or imply that either doctors' encryption keys or signing keys should be escrowed'. In support of this we are pointed to another excerpt from the original strategy which mentions the possibility of omitting key escrow but designing the system so that it can be added later. This gives rise to almost as much concern. The writer of the strategy has since stated categorically at a public meeting [51] that medical keys would not be escrowed, and a senior official stated at the June meeting that there would be no key escrow in the pilot [52].

However the encryption pilot in Teesside appears to focus on demonstrating the capability to do key recovery despite officially having a broader scope than this [36]. The key management scheme involves RSA keypairs being generated by a single TTP run by BT Syntegra; both the signed public key (in X.509 certificate format), and the private key, are then sent to the user [15]. Thus private keys, for both signature and encryption, are available to the TTP for escrow. This key management system is derived from the NHS Clearing service pilot [81], so we can assume that the Clearing pilot also uses escrow.

Finally, the GPPL pilot was held up for a while by an IMG demand that doctors' signing keys be generated centrally, and is still handicapped by a lack of clarity about what key management mechanisms will be acceptable to the NHS Executive.

We note that the NHSE document says (p 45) that the strategy for cryptographic algorithms and key management will have to be confirmed before the pilots commence. But even though the pilots are well underway, the strategy for cryptographic algorithms and key management would not appear to have been confirmed.

The following selected series of events and developments may be indicative of changing attitudes to cryptography in the UK government:

We sincerely hope that it is not the position of government that hospitals and general practices would not be responsive to warrants. Yet despite clear denials that key escrow was intended or would be introduced, persistent attempts are still being made to introduce it via the crypto pilots.

This is unlikely to win the confidence of either public or professions. It also breaches the agreement that the electronic trust structure should reflect existing practice -- under which to medical records by policemen, social workers, benefit agency employees and other government servants involves the knowledge and agreement of the clinician having responsibility for the patient, and therefore with the knowledge and consent of the patient unless the law specifically provides otherwise.

next up previous
Next: Order of introducing encryption Up: No Title Previous: Cost Estimates

Ross Anderson
Mon Oct 6 12:47:34 BST 1997