next up previous
Next: Strength of Encryption Mechanisms Up: No Title Previous: Key Escrow

Order of introducing encryption and signature

The IMG strategy claims on p 13 that authentication and signature are not only a secondary requirement, but one which should be tackled after encryption is in place. On p 18, it considers signature to be only a `possible requirement'. If signature is indeed required, then the system `could be extended cost-effectively to support these additional security services' (p 13). The decision to introduce encryption first and signature second is repeated elsewhere (e.g., p 59). This closely follows GCHQ's strategy for secure email [24].

The IMG/GCHQ approach is wrong and dangerous. If escrowed encryption is used to distribute signature keys, then these signature keys become known to (or at least discoverable by) the authorities. So doctors' signatures could be forged by authority, or by third parties to whom the signature or escrow keys had been leaked. Safety would be at risk and the evidential force of digital signatures would be greatly reduced.

What should happen is that a clinician should generate a pair of keys -- a private signature key, and a public signature verification key -- and send the public key to a certification authority to be signed. But the GCHQ protocol does not support a mechanism for transporting keys from the user to authority. There is merely a `token' that is used to convey both private and public keys from authority to the user. Despite IMG's many assurances that neither encryption nor signature keys will be escrowed, and an assurance in [86] that `current discussion about escrowing keys relates only to encryption keys and not to signature keys', the Teesside pilot takes the GCHQ approach. Signature keys are generated by the TTP (in that case, BT) and then copies of them are given to doctors. BT thus acquires the capability to forge doctors' signatures, thus redoubling the threat of insider access that encryption mechanisms should be helping to combat.

Even if privacy keys are eventually required by law to be escrowed, the keys used for digital signature and for other forms of authentication must be treated differently. The government clearly has difficulty understanding this point, despite its being raised in numerous fora by the BMA and others. So it is worth explaining explicitly.

The stated purpose of key escrow is to enable government employees to monitor the contents of encrypted traffic (and, in some escrow schemes, to facilitate data recovery if users lose or forget their keys). Its stated purpose does not include allowing government employees to create forged legal documents. It would be highly undesirable if they were able to use this access to forge contracts or purchase orders: the scope for insider fraud and conspiracy to pervert the course of justice would be immense.

Any police officer will appreciate that if he can get copies of a suspect's bank statements, then perhaps he can use them in evidence; but if he can tracelessly forge cheques, then the suspect will argue that all the evidence was simply forged by the police. So if there is any possibility that a digital signature might be needed as evidence, then the key used to create it must not be escrowed.

In fact, we would go further than this: keys which are used only for authentication (rather than non-repudiation) should not be escrowed either.

For example, suppose that some piece of equipment (e.g. a telephone exchange, or a ventilator in an ICU) is controlled remotely, and message authentication codes are used to protect the integrity of control messages. Even if these messages are not retained for the purposes of evidence, it is clearly important to distinguish between authorising a law enforcement officer to monitor what is going on and authorising him to operate the equipment. If authentication keys are escrowed, then the ability to monitor and the ability to create seemingly authentic control messages become inseparable: this is almost certainly a bad thing. Returning to the medical context, it is unlikely that either doctors or patients would be happy with a system that allowed the police to forge prescriptions, or Pensions Agency officials to assume control of life support equipment. We doubt that any government minister who understands this danger would wish to expose himself and his officials in such a way.

In such applications, we need an infrastructure of signature keys that is as trustworthy as we can make it. Bootstrapping the trust structure from a system of escrowed privacy keys is completely unacceptable on both safety and medico-legal grounds.

next up previous
Next: Strength of Encryption Mechanisms Up: No Title Previous: Key Escrow

Ross Anderson
Mon Oct 6 12:47:34 BST 1997