Monday, December 24, 2007

Why has no one asked about the encryption?

I see that the Sun is reporting this morning that there have been even more data losses at NHS Trusts across the country. I also notice that statements from the Government have said that lost data has been encrypted which I guess is meant to minimise people's concerns. Although, admitting you don't know what data is on them makes them look incompetent yet again.

However, what I don't understand is why no one has actually asked about what the encryption is. After all, it's all well and good to say something is encrypted but if it's just something known to be weak like MD5 then it becomes quite a meaningless reassurance.

Now there may be an argument that to say what encryption algorithm is being used is itself a security breach, but it would b useful if someone could at least give an indication that however they do it it is not merely some passphrase protection, or that it is a key-paired method using strong algorithms that will take too long to crack to make the data worthwhile.

9 comments:

James said...

Its probably a zip file with a password... I'd laugh if I didn't think there was a good chance this is the case.

mitch said...

Its gonna be a Zip file with a password you just know it.

patrick said...

MD5 an encryption methodology? C'mon, it's a hashing technique, not encryption. The difference probably wants explaining to your less technical readers...

oxbridge prat said...

As I'm sure you know, if the encryption is any good then naming the algorithm will not threaten it in the slightest.

Of course the chance that they have used effective encryption properly implemented is negligible. They have just realied that "encryption" is a magic word which acts as a get out of jail free card.

dizzy said...

patrick, I know what you mean, but from a purely simplistic understanding it is a form of encryption, albeit not a good one.

Anonymous said...

Dawn Primarolo was responsible for HMRC for ten years. She is now responsible for Health. Data loss seems to follow her wherever she goes.

Rob said...

MD5 is not encryption, it's a hash function.

Presuming they're using something even as widely available as PGP—which is a fair presumption—then the encryption itself will be secure. Even over 15 years after its creation, there's still no computational/cryptographic means to defeat it.

Of course, that means that the weak link becomes the security of the keys, which is probably not a fair presumption. If they've lost a hard drive full of personal data, it's not a tremendous leap to imagine them having lost some encryption keys.

excalibur said...

I suspect that they got such a roasting over the unencrypted discs lost, that they had to shove some form of encryption in place, but there's so much institutional inertia and ass covering, that they couldn't implement a strong encryption scheme without spending two years developing the rules and paying a 100 million to consultants to hold their hands. They probably used PKZIP with a password.

The public understand the difference between data in the plain and encrypted data, but don't immediately understand the difference between strong encryption and weak encryption. From the point of view of whoever is responsible for these fiascos, it takes some of the heat off if they can truthfully claim the data was encrypted. Arguments over encryption methods turn most people off.

Of course, if the encryption method was used was any good, knowing the algorithm used should make next to no difference in decrypting the data without the key. However, if they were in fact using PKZIP, they just might want to keep quiet about it, and for PR, not security reasons.

mitch said...

Id bet the password was "password" it always is with retards.