On Sun, 16 Mar 2003, Adrian Midgley wrote: > On Saturday 15 March 2003 14:52, Andrew Ho wrote: > > > The _well-known_ trial-encryption attack works against > > encrypted personal identifiers in storage. > > > The attack uses new cryptotext generated from known personal > > identifiers and a search through the database of stored > > encrypted identifiers to find a match. > > Why is so much of the database available for arbitrary > (dictionary) attacks to be run against it?
Adrian, The reason that we are interested in removing patient identifiers from the database, in the first place, is that we don't entirely trust the keeper of the database. So, we have to assume that the entire database is available to the keeper of the database and to make sure that the patient identity remain obscured despite availabilty of the data. > One of the Anderson Principles is that access to the database > and to individual records is logged, and it is also not obvious > that the encrypted version of the data should be visible to > those making a (n encrypted) dictionary attack on it. Right - and how do we ensure that the log itself is complete and reliable? > Design, rather than algorithm. I agree 100%. But the protocol design aspect is quite hard. I think it is very productive for us to discuss protocol design on this list. These are issues that remain unresolved in current health info systems. ... > Do they have the secret key of the person who encrypted it, or > is this a system where the individuals do not hold their own > encryption keys? The encryption key and algorithm are both public knowledge (according to Tim and various papers he cited). The situation is the same if a one-way hash function is used to "encrypt" the identifiers. Best regards, Andrew --- Andrew P. Ho, M.D. OIO: Open Infrastructure for Outcomes www.TxOutcome.Org
