The UK Home Office has introduced procedures to handle encrypted personal data from external partners. However, guidelines on how the new Home Office Central Cryptography service will work raise concerns about possible shortcomings with the service which, while a big improvement, falls below best practice in sectors such as …
I take it you don't mean hash in a cryptographic sense!
Hello this is the Home Office Crypotgraphic centre, we've just got your email/CD. Can I have the passphrase please.
Not much better than writing it on the disc really is it.
And why is it that after seeking "expert advice (probably from GCHQ's CESG)" the Home Office develops a policy "that falls below best practice in sectors such as banking"!! As El Reg has pointed out over recent days the banking sector is bad enough, but if central Government can't be bothered to implement proper controls it hardly serves as a good example of data handling.
Now I must dig out that consultation on the transposition of 2006/24/EC ....
we don't need no steenkin' security
'Jamie Cowper...... "You'd be surprised, but some people sent encrypted discs with the passphrase attached on a post-it note," he added.'
No actually, I wouldn't.
I would put end of cynicism mode, but I think it's jammed in the 'on' position.
Hmmm. I wonder whether the decision not to go for end-to-end public key encryption has anything to do with the HO wanting to be able to keep an eye on transmissions *within* the government secure intranet. If civil servants could engage in secure communication within and beyond the department, goodness knows what might happen!
Well it's a start
Let's be quite frank - this is nothing like a perfect system. However, it's a damn sight better than previously! I just wish that the government would do things *before* a major scandal, rather than always being prompted by one. Encrypted systems should have been in use long before now. It's 2008 for Christ's sake.
Not rocket science?
One has to ask, why doesn't the government use fully encrypted protocols in the first place. Deploying IPSec across all government networks, destroying all CD/DVD writers and plugging up USB ports would be a good start.
Anyone here ever tried putting a DVD into a shredder?
... makes some lovely noises... sparks.. even smoke if you're lucky :-)
on not opting for asymmetric crypto
Clearly asymmetric crypto offers both non-repudiation of origin and non-repudiation of receipt
However, the number of and range of size of external stakeholders who legitimately have business need to communicate with HO are both enormous; so, some balanced decision between 'secure enough' and 'scales out to the small people' had to be taken.
A fully-fledged PKI for all HO external transactions would take a long time to develop (first write the Certificate Policy - take caffeine pills...) and imposes unreasonable technological, governance and expertise constraints on the smaller stakeholders; some of whose communication needs are small and infrequent.
The alignment of multiple CPs would take ages.
The arrangements for cross-connected Certificate Authorities - or 'bridge CAs' - would take ages.
The management of Certificate Revocation would take ages.
So, for once, well done that gumment department.
How Secure do you want IT42B? Complete GBIrish or Simple and CompleXXXX
"Sending encrypted communications in the form of a self-decrypting archive means that no client is required, but also requires accepting executable files in email messages, a dangerous practice in general" ....
It is only dangerous if Intelligence a) either fails to decrypt a self-decrypting archive and/or fails to acknowledge receipt of such a self-decrypting encrypted communication for then will further, more specifically Targetted and Targetting and Potentially more Damaging/Rewarding Communication be Likely ..... but that is Only a Matter of being Aware of the Encryption Algorithm Source for Key Trigger Codes.... or for Third Parties to be made Aware that they are Triggers for Code Encryption. How difficult is an All XPenses Paid Invitation to Tea. Pretty Darned Simple would think Alice, I'm sure..... for who/what would then be Identifiable as the Problem.
Nice to know that such Sterling Works are in Progress/Flow and there are some Novel Workable Concepts Shared there,with more than just a Promise of being Very Successful being easily Imagined. Bravo. and if one was a Server one could maybe Respond at One's Leisure, although that might be necessary if the Encryption in Enigmatically Safe and Sound/FailSafe Tempest BetaTested Steganographically in the Open Field.
And how secure does IT need to be if you are one of the Good Guys and Walk Tall, Walk Straight and Look the World Right in the Eyes and Match your Words with Deeds?
1. Email/CD/DVD is received by the Bureau.
No doubt the CD/DVD will be unencrypted, "password protected" and sent by Royal Snail.
"The UK Home Office has introduced procedures"
Once again, the sickness called "modern management" reveals its loathsome self. Especially when combined with the half-baked socialist ideology of the UK's present government, it's a complete disaster.
1. A profound distrust of smart, educated people -- to utilize them effectively is elitism and We Can't Have That In Our Socialist People's Egalitarian Paradise.
2. Viewing employees as so many fungible warm bodies: anybody can do any job with equally good results. This is what I usually call the "MBA mindset" -- employees as interchangeable cogs in the mechanism.
3. Failure to differentiate between education and training. You can train a monkey, but you can't educate one. Example thinking: "Let's shut down Oxbridge; we can contract out teaching people to use Word, so we don't need the universities."
4. A touching belief in the value of "procedures." ¿What is the use of written procedures when (4a) they are written in incomprehensible bureaucratese and gobbledygook (4b) they are kept in a binder in the boss's office and no one is allowed to see them (4c) they are so long winded no one can read through them without going to sleep (4d) they get so embroiled in minutiae and detail that their overall thrust and significance is completely obscured?
5. Never following up on bright ideas to see if the solutions adopted to solve problems had the desired effect.
6. Thinking that a simple line graph is the cat's meow in data presentation. (This is the L. Ron Hubbard error.)
I could extend the list almost indefinitely, but to cut to the chase: "introducing procedures" won't solve the problem of data insecurity. By hiring stupid people, paying them badly, and treating them like peons, government has created (or at least exacerbated) a culture of I-don't-care.
Prediction: data losses will continue.
Why is there no Jacqui Smith icon? I guess "stop" will have to do, symbolizing that the UK govt has stopped *thinking* and now reacts to events in a totally stereotyped way. Somewhat like demonstrating that dissected frog leg twitches when a battery is attached.
wacky jacqui won't be happy about that!
Risk mitigation or False sense of security?
I see many risks with the proposed approach - as other have observed:
1. Self Decrypting Archives are only as good as the password - and you can bet the passwords used here are going to be guessable and repetitively used.
2. They can be brute forced *offline* with no audit trail - so the package could be intercepted electronically or physically - copied, then either
a) attempt social engineering attack to get the password
b) brute force the password, a space far smaller that the key space
3. Sender and receiver will not be aware of the data attack and be blissfully lulled into a false sense of security.
A more robust and transparent approach for the sender and receivers is a model called Identity Based Encryption (IBE) appelied for end to end file encryption. The Home office already has its Public Key with its Identity, and since the asymmetric private key is generated on the fly *after* strong policy enforceable authentication - which can be 2 factor and change independently under controls, you have tight controls on both sender and receiver authentication policy. Moreover, the dialogue can be transactional and transparent.
Having spent 12 years in the past modelling, consulting on and implementing large PKI's and Idenity Management systems (including global Identrus models) IBE is a breath of fresh air and gets over the massive cost and complexity of the older X509/X500 model.
Since opening a self decrypting archive has no audit trail to the sender, nobody will know if there is a data breach and assume everything is all nice and secure - so we have potential for a false sense of security - rather scary.
Director of Information Protection Solutions
And who has signed to say this is safe ???
What a load of baloney ,it shows the complete ignorance of government on matters of data security.
You certainly can shred CDs/DVDs
You just need a bigger shredder!
Advice is just that
No doubt the Home Office did seek advice from GCHQ but it doesn't follow that they paid any heed even if they bothered to listen. Surely everyone knows what a government "consultation exercise" means?
Re: Not rocket science?
"One has to ask, why doesn't the government use fully encrypted protocols in the first place. Deploying IPSec across all government networks, destroying all CD/DVD writers and plugging up USB ports would be a good start."
Maybe you should pay the AWE at Aldermaston a visit. This is *exactly* what they do, and if you're unfortunate enough to have to sell them software and, even worse, install it (or rather, watch someone install it 'cos you don't have the requisite clearance) then you'll realise that this isn't as smart an idea as it sounds - it turns getting *anything* done into an absolute nightmare, and yes, I'm fully aware of the sort of thing they do there (I did some work for them many, many moons ago)
Anon, because I've been there, done that and vowed never again
Re "The UK Home Office has introduced procedures"
Smarter, more educated people will make their Views and/or requirements known, and put them in the Public Domain, and move on to their next steps, and they will do that on a daily basis, thus to avoid the disappointment of having to wait on and deal with those, who would have proved themselves to be less than useful and in too many case, QuITe Useless and Unfit for Future Purpose in a Leading Role, with their Failures to Grasp any New Paradigm.
There may be occasions whenever Information sent and privately shared, may not be immediately shared in the Public Domain, for any number of subjective reasons, but in an age whenever Intelligence Phishing is Ubiquitous and Perceived to be deeply embedded, any notion that Privacy remains or that any communication has remained private is delusional and thus would make any non-disclosure for whatever subjective reasoning, really a waste of effort.
Of course, then what happens is that Servers/Intelligent Hosts are mysteriously unavailable/busy/timing out etc. causing merely a temporary inconvenience which focuses the resolve to higher planes in search of headier and more able and enabled souls.
But old habits die hard and such moments of waiting for response which will never arrive are an indulgence which eventually disappears.
Nice vendor spam
To the vendor of IBE products that's conveniently suggesting that IBE is better...If you couldn't convince the UK govt that IBE is good, why should El Reg readers believe it?
I've read about this IBE stuff. Is it true that IBE uses a "secret" on the server to calculate this magical identity based key? And if someone takes that secret then every key ever created, or that ever can be created, by that server can be recreated "on the fly" (as you say) but this time by an attacker?
So now everything encrypted can be decrypted. If this secret was taken without anyone knowing (disgruntled admin? in govt? Never!), everyone would keep encrypting with that IBE server but not know it's totally broken. Old stuff, new stuff, all decryptable by the bad guys.
Talk about a scary false sense of security! True?
So they carefully decrypt the data and then forward it unsecured by email unless it it large? Surely they should just force the end-user to either:
a) have a clue and have encrypted software installed and be educated in its use
b) force them to use HTTPS to pick up the data
Security isn't easy, but making such a half-baked approach is pretty crap. I wonder if we'll be able to sue the government for compensation _when_ they lose our data.
Oh, and if the DVD is encrypted, why bother sending it via courier - 2nd class post will be just as good thank you.
@ Adrian Bridgett
2nd class won't do - by the time it's recevied the covertime of the algorithm wil have expired!
On which note, why is everyone so concerned about HMRC sending out Child benefit data in the clear. By the time my kids are old enough for their details to be used in fraud (they're 1 and 3, meaning they can't be used finanicially for 17/15 years) - anyone like to name an encryption with a cover time they could have used that would do?
The real scandal is that they let some muppet have a 'copy to disc' function for the entire nation's details.
Because the virus scanners need to be able to read at the mail gateway. Encrypted traffic to general .gsi mail addresses is currently returned to sender because it could contain a virus. The alternatives looked at are in having a single point like the Home Office or all encrypted traffic having to be sent to the mail gateway as well using it's public key.
It's not an easy problem to solve.
This is meaningless...
Because it assumes that people will follow the procedures for sending this data securely. Which they won't. They didn't follow procedures before, there's no reason to assume they've had an IQ transplant now.
Paris - because I'd trust her with an IT project before I'd ever trust Gordon Brown.