CESG RECOMMENDATIONS FOR SECURE ELECTRONIC MAIL
A Statement by Andrew Saunders, Director CESG.
The CESG recommendations for securing electronic mail within HMG draw upon the Royal Holloway key management architecture. Both have been the subject of criticism which is not well founded or which has been overtaken by the natural development of the architecture. Responses to the main points of criticism are given below.
Some commentators have confused the relationship between the recommendations and a National Health Service project for a secure network. The two are similar but distinct. In early 1996 Zergo Limited produced a study on the use of encryption services for an NHS-wide network. It recommended that the NHS should adopt X.509 Authentication Framework, Certification Authorities, X.509 version 3 certificates, Trusted Third Parties, Diffie-Hellman, Red Pike, DSA etc, but did not refer to CESG's recommendations, only to CESG. It has been incorrectly assumed that the recommendations are the same as the solution proposed for the NHS. However, CESG's programme is aimed only at HMG and has no connection with the Zergo proposal.
The most extensive critique has appeared in a paper by Dr Ross Anderson and Michael Roe entitled "The GCHQ(sic) Protocol and its Problems". Its conclusions are highly critical of the CESG approach but there is little if anything within the reference to substantiate these conclusions. Responses to the authors' own summary of the criticisms (paraphrased for brevity) are given below:
CESG's recommendations provide none of the advantages of either public key or secret key cryptography and are too complex for safe implementation.
This is not so much an attack on the recommendations as an objection to the Trusted Third Party concept and the need for key recovery. The recommendations offer a realistic architectural solution to a complex problem and, as with any system, will require professional implementation
They impose a rigid hierarchy.
The frameworks for confidentiality and authentication have been designed to cater for a wide range of environments. A hierarchy is defined only for the authentication framework and this is necessary because good security requires tight control.
The plan to bootstrap signature keys from escrowed confidentiality keys disregards the realities of evidence.
This confuses the authentication and confidentiality frameworks. There is no intention to bootstrap signature keys required for non-repudiation purposes within the authentication framework. Within the confidentiality framework keys are held at a management station for key recovery purposes.
There are serious technical problems with the modifications made to the US MSP (Message Security Protocol).
CESG's modifications have been made after careful consideration of government requirements and in consultation with departments; they are sensible responses to these requirements. The specific criticisms made in the paper show a lack of understanding of the changes.
It is important to note that the CESG recommendations separate the authentication and confidentiality frameworks. Many of the criticisms confuse the two. Another common misconception is that the CESG Red Pike algorithm is being recommended for use in the public arena. No confidentiality algorithm is mandated in the recommendations: for HMG use, however, approved algorithms will be required; Red Pike was designed for a broad range of HMG applications.
It has been observed that there are potential security weaknesses in inter- TTP communications within the Royal Holloway architecture. CESG is fully aware of the need adequately to secure such high level exchanges and there are a number of ways this could be done. It has also been suggested that a TTP network could become large and that some users would have to keep a large number of public keys. This problem is overcome in the Royal Holloway architecture since any user can obtain all the necessary key material for communication from its local TTP. This is inherently more scalable than other approaches.
CESG recognises that the development of architectures for PKC implementations of secure messaging is evolutionary and that much valuable work is underway in academic and commercial circles. CESG intends to continue to take advantage of this work.
Director, CESG.Posted 25 February 1997.