23 September 1997: Add John Leach response
22 September 1997
Source: Mail list ukcrypto@maillist.ox.ac.uk
See related exchange: http://jya.com/dti-words.htm
To: ukcrypto@maillist.ox.ac.uk Subject: Re: Latest words from DTI Date: Mon, 22 Sep 1997 11:47:16 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> John Leach says, in message <3.0.32.19970920014251.0069d130@relay.eu.tis.com>: > Ross persists in making his own unique interpretations of the intentions > of the DTI with little apparent patience for hearing any other line and then in message <3.0.32.19970920015010.0069d130@relay.eu.tis.com>: > Tell me, how do unprofessional comments like this help move the debate > forward? Well, this `unique interpretation' of mine is that officials are trying their hardest to sell key escrow to the ministers of a government that we elected on a clear promise not to buy it. In so doing, they are pushing a US intelligence community agenda that is actively harmful to Britain's trading interests and which will significantly weaken the UK's defences against information warfare. If this quite singular interpretation of mine is indicative of mental disorder, then it's highly infectious: read Microsoft's MD in last Thursday's Guardian, for example. > It reminds me of when he and I were in discussions about the NHS > encryption report. It didn't make any difference to him how many times > we pointed out that in our report we had advised the NHS NOT to use Key > recovery and how much difficulty he had in actually locating any > sentence in the report that recommended the use of Key Recovery, he > still persists to this day, and at the Cambridge conference, in saying > that the objective was to get the NHS to use Key Recovery. John, your memory is going. Nowhere in the Zergo report, of which you were the author and which I have here on my desk, do you advise the DoH against key recovery. On the contrary, you strongly advised the DoH not to use RSA but to use Diffie Hellman instead. At the June meeting where you and Henry Beker presented the report to the BMA, we asked what protocol you meant. You replied the protocol of Jefferies, Mitchell and Walker - a key escrow protocol. Also, in the report on page 58, you make clear that Diffie-Hellman techniques should be used rather than RSA in order to achieve compatibility with a national public key management infrastructure being planned by CESG and which will include key recovery. `Consequently the advice from CESG, supported by Zergo, would be that the NHS should develop a Key Management infrastructure that uses D-H rather than RSA techniques'. The following paragraph presents two options: either install key recovery from the beginning, or start off with a phase 1 system without this feature but which could be extended later to include it. So yes, you did equivocate, but it looks like your brief was to recommend key recovery as persuasively as you could while leaving a tiny morsel of deniability in case it got too hot to handle. You might call this a `unique interpretation'; it was based on the same pessimistic assessment of bureaucratic motives that I apply to the DTI. However it was shared by pretty well all the senior doctors involved at the BMA end of the negotiations, and has been solidly borne out by developments since. Of the three NHS crypto pilots, two were run by the Department of Health and focussed almost entirely on implementing and demonstrating key recovery. In one case (the Clearing service) this was pointless as the Clearing system harvests data on hospital care for Whitehall and the plaintext is all the property of the Secretary of State anyway. In the second - the Tessside pilot - it involved escrowing not just decryption keys but signing keys too. This led to its being unacceptable to the local medical community. The third pilot, which was run by doctors, used the Cryptomathic EDI security software to protect data transfers between GPs and hospitals. The Department of Health, under instructions from GCHQ, tried to block this implementation on the grounds that the RSA signing keys were generated in the practice rather than centrally. The view now is that the DoH will try to graft the Teesside key management system on to the EDI security software thereby enabling GCHQ not just to read medical traffic between GPs and hospitals but also to forge it. There were lots of other things wrong with the report. For example, the ostensible point of it was to advise the NHS on what encryption algorithm to use. It turned out that you weren't aware of the existence of algorithms like Blowfish and WAKE, and recommended Red Pike on the grounds that there was nothing else strong enough. You also reckoned that all medical keys could be managed by one TTP (plus backup) involving the equivalent of eight full time staff - this for a million NHS staff in 12,000 provider organisations (with many of them changing jobs on the first of february and the first of August each year). Your costings were ludicrous on a number of other grounds too. Anyone who's interested can pick up the BMA's official response from ftp.cl.cam.ac.uk/users/rja14 where it is the file zergofrep3.ps.gz Ross
23 September 1997 Add John Leach's response to Ross Anderson: Date: Wed, 24 Sep 1997 00:42:14 +0100 To: ukcrypto@maillist.ox.ac.uk From: Dr John Leach <leach@eu.tis.com> Subject: Re: Latest words from DTI At 11:47 22/09/97 +0100, you wrote: >> It reminds me of when he and I were in discussions about the NHS >> encryption report. It didn't make any difference to him how many times >> we pointed out that in our report we had advised the NHS NOT to use Key >> recovery and how much difficulty he had in actually locating any >> sentence in the report that recommended the use of Key Recovery, he >> still persists to this day, and at the Cambridge conference, in saying >> that the objective was to get the NHS to use Key Recovery. > >John, your memory is going. > Dear Ross, I know we have gone over this in the past in the offices of the BMA but as the report is in the public domain I suppose we can go over it again here. I hope others are sufficiently interested not to shout us out of this list. >Nowhere in the Zergo report, of which you were the author and which I have >here on my desk, do you advise the DoH against key recovery. On the >contrary, you strongly advised the DoH not to use RSA but to use Diffie >Hellman instead. Firstly, you have been in the arena long enough not to confuse the NHS with the DoH. We made no recommendations to the DoH. Our client was the NHS. The two organisations are well distinct. D-H is not synonymous with Key Recovery. D-H has been around and in use for years and pre-dates any discussions I am aware of about Key Recovery. It is patently clear that advising the use of D-H is not the same as advising the use of Key Recovery. >At the June meeting where you and Henry Beker presented >the report to the BMA, we asked what protocol you meant. You replied the >protocol of Jefferies, Mitchell and Walker - a key escrow protocol. We informed the NHS about the issue of Key Recovery believing that, whether or not they chose to adopt it, they needed to understand what it was about. It was clearly an issue within the scope of the work and needed to be discussed whatever the recommendation, for or against. The Key Recovery scheme I had in mind when I was explaining the issue was the Jeffries, Mitchell and Walker one, a scheme otherwise known as the Royal Holloway Scheme (unfair on Jeffries and Walker perhaps). That scheme adds Key Recovery features onto a D-H key management scheme. However, that does not of itself transform D-H into a Key recovery scheme. >`Consequently the advice from CESG, >supported by Zergo, would be that the NHS should develop a Key Management >infrastructure that uses D-H rather than RSA techniques'. Yes. Whether you like it or not, the NHS exchanges various types of information with the DoH, and the DoH is a central government Department even though the NHS is not. These exchanges are mostly if not exclusively for administrative data and to my knowledge do not include personal medical data. But I did not need to resolve that question absolutely. I assumed the DoH would be using Key Recovery in the form of CASM - that seemed to be clear policy at the time. There was no requirement for the NHS to use Key Recovery and CESG did not attempt to persuade me or them otherwise - it was simply not an issue. But, independently of that, the NHS might have been prepared to use key recovery on its links to the DoH and I made it clear that it could chose to use Key Recovery on the DoH links without it having to use key recovery on any other links. So my advice was for the NHS to use D-H throughout the NHSnet and possibly (at its discretion) Key Recovery on the administrative links to the DoH, rather than to use RSA throughout the NHSnet and potentially isolate itself from one of its major non-NHS correspondents. > >The following paragraph presents two options: either install key recovery >from the beginning, or start off with a phase 1 system without this feature >but which could be extended later to include it. So yes, you did equivocate, >but it looks like your brief was to recommend key recovery as persuasively >as you could while leaving a tiny morsel of deniability in case it got too >hot to handle. > Ain't nothing or nobody too hot to handle, mate. I said it was for the NHS to choose whether or not to use key Recovery. It had choices. It could decide up front to use it throughout the NHSnet. If it used D-H, it could delay and then introduce it later. Or it could delay and introduce it later only on certain links. Or it could decide not to use it ever. It was not for me to decide what the NHS policy should be, only the NHS could decide that. I did advise them that I saw no reason for the NHS to introduce key Recovery in the pilot. The pilot did not need it and Key Recovery did not warrant being piloted. I don't have my report with me at the moment so I'll not quote pages and paragraphs but I am comfortable that my words were clear - I did not recommend the use of key Recovery but I did allow that the NHS might decide to use it at some stage in the future and for some traffic. In the third of the NHS/BMA meetings we attended, we did get into quoting pages and paragraphs and I trust you remember the outcome. I don't imagine you want that little discussion replayed in the lines of a public list! >You might call this a `unique interpretation'; it was based on the same >pessimistic assessment of bureaucratic motives that I apply to the DTI. That does not make you any the more correct. >However it was shared by pretty well all the senior doctors involved at >the BMA end of the negotiations, You were their security adviser (still are for all I know) and they were following your advice strongly put. >and has been solidly borne out by developments since. > In what way? What are you talking about? >Of the three NHS crypto pilots, two were run by the Department of Health >and focussed almost entirely on implementing and demonstrating key >recovery. Absolute rubbish in my opinion. They didn't touch Key Recovery. >In one case (the Clearing service) this was pointless as the >Clearing system harvests data on hospital care for Whitehall and the >plaintext is all the property of the Secretary of State anyway. There was no Key Recovery aspect to this pilot. You can hardly accuse them wrongly of having gone after key Recovery and then criticise them for wasting time. They didn't go after it, maybe because they realised it had nothing to offer them. > In the >second - the Tessside pilot - it involved escrowing not just decryption >keys but signing keys too. This led to its being unacceptable to the local >medical community. Again, not to my knowledge. >The third pilot, which was run by doctors, used the >Cryptomathic EDI security software to protect data transfers between GPs >and hospitals. The Department of Health, under instructions from GCHQ, >tried to block this implementation on the grounds that the RSA signing >keys were generated in the practice rather than centrally. The view now is >that the DoH will try to graft the Teesside key management system on to >the EDI security software thereby enabling GCHQ not just to read medical >traffic between GPs and hospitals but also to forge it. > I wasn't directly involved in this pilot and can't offer any view on what the DoH may or may not have done, but I haven't heard anything to substantiate this view from any of the discussions I have had. >There were lots of other things wrong with the report. For example, the >ostensible point of it was to advise the NHS on what encryption algorithm >to use. It turned out that you weren't aware of the existence of >algorithms like Blowfish and WAKE, and recommended Red Pike on the >grounds that there was nothing else strong enough. So tell me, which mainstream vendors are looking to implement Blowfish or WAKE in their COTS products? A central requirement from the NHS was that it should have an algorithm that would be available to it through its major vendors. At the time, Red Pike looked to fit this bill. I can admit a year and a half later, I predicted the uptake of Red Pike wrongly. That was an error of judgement on my part. But I don't see any large scale implementations of Blowfish or WAKE either, and wouldn't expect to. > You also reckoned that >all medical keys could be managed by one TTP (plus backup) involving the >equivalent of eight full time staff - this for a million NHS staff in >12,000 provider organisations (with many of them changing jobs on the >first of february and the first of August each year). > Wrong again, Ross. We proposed one TTP for the first pilot (that's straight forward enough), and said that the growth from there onwards should be responsive to the needs of the applications that adopted the technology. Again, we gave the NHS the option of going forward building around a single TTP or around several TTPs. We gave them some discussion around the ins and outs of each option, but most certainly did not recommend that they should stick with just one TTP for ever. We used the single TTP model for estimating a minimum cost for running TTPs, and said that if they grew to have instead a larger number of smaller TTPs, the costs would undoubtedly be higher. Clear enough to me. You are perfectly entitled to disagree with our costings, but don't invent recommendations that aren't there. Good luck, all. JL __________________________________________________________________________ Dr John Leach leach@eu.tis.com Trusted Information Systems (UK) Ltd. Office : +44 (0)118 930 4413 8 Commerce Park Fax : +44 (0)118 930 4412 Theale GSM : +44 (0)467 417 694 Berkshire RG7 4AB Home Office : +44 (0)1264 332 477 ENGLAND Web : <http://www.tis.com> __________________________________________________________________________