Back To The Future
Back To The Future
You would think that an important document such as a Brexit Trade Deal would have the lastest usage of standards and the best practice, but if we turn to Page 921, we see some text which could have been created in the 1990s [here]:
So let’s ask a few questions …
Why do you think references to outdated systems has been included in the agreement?
This looks like it’s a standard copy-and-paste, and with little understanding of the technical details involved. The text is full of acronyms, and it perhaps needs more of a layperson's explanation to define the requirements. I think there should have been, at least, a reference to up-to-date standards such as those related to the NIST-defined FIPS (Federal Information Processing Standards) standards. In encryption, we generally move on and support old methods by deprecating them, and so the usage of Netscape Communicator and Mozilla Mail should have been deprecated years ago.
Q — Does anyone use Mozilla Mail or Netscape Communicator?
In the 1990s, Netscape Communicator was the Web browser that supported the wide-spread adoption of the Web. Many people who saw the rise of the Internet in the 1990s will fondly remember it, especially along with the sound of modems making the dial-up connection. Before the large-scale adoption of email clients such as Microsoft Outlook and Apple Mail, Mozilla Mail was also used as a way to send secure email. Few people use these now, and the encryption underneath is significantly out-of-date. In fact, the last major release of Netscape Communicator was with 4.0 in 1997, and in the 23 years since, and the world of computing has moved on significantly, especially in the terms of the computing power which can crack old standards of encryption.
Q — What might this tell us about the officials writing the document?
I believe this looks like a standard copy-and-paste of old standards, and with little understanding of the technical details. Overall the handling of DNA data must be seen as one of the highest levels of secrecy and trust, and we should always be using the best methods around. There is little excuse in the use such old standards, especially as there is great expertise around in defining good practice for the sharing of sensitive information.
Q — RSA and SHA-1, recommended in the deal, have also been identified as problematic — why?
RSA is a public-key encryption method and is typically used to digitally sign a document, and thus prove its identity. It does this by taking a digital fingerprint (a digital hash) of the document and then encrypting it with the private key of the entity which is digitally signing the document. The entity’s public key is then used to prove the digital signature. In this case, RSA is used to prove the digital signature, and where SHA-1 is defined as the method of providing the digital fingerprint. While these were a good selection a decade or so ago, they are no longer up to modern security standards. The usage of 1,024 bit RSA keys is not recommended as there are great risks in producing a fake signature, and the usage of SHA-1 signatures has been shown to be flawed by researchers at Google. Normally, these days, we would look towards using 2,048-bit (2K) RSA keys and use SHA-256. You will struggle to find any Web site on the Internet which will use 1K RSA keys and/or SHA-1 for proving their identity.
Q — Is this a big deal or harmless oversight?
I believe that legal professionals and those in the public sector need to develop a stronger understanding of digital trust, and especially in understanding the technical nature of digital signatures. We need to move away from our world of wet signatures and taking scans of our signatures, towards a world which has trustworthy digital signatures. To see such poor standard used in such an important area is setting a poor example in building a trusted digital world.
Conclusions
We must build a new digital world and one which is trusted. There is no excuses for our leaders to not understand how to build a more secure future. Here’s a news item on this: