Brexit Deal Mandates Old Insecure Crypto Algorithms
In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA:
The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME (V3) allows signed receipts, security labels, and secure mailing lists… The underlying certificate used by s/MIME mechanism has to be in compliance with X.509 standard…. The processing rules for s/MIME encryption operations… are as follows:
- the sequence of the operations is: first encryption and then signing,
- the encryption algorithm AES (Advanced Encryption Standard) with 256 bit key length and RSA with 1,024 bit key length shall be applied for symmetric and asymmetric encryption respectively,
- the hash algorithm SHA-1 shall be applied.
- s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages.
And s/MIME? Bleah.
Fish • December 31, 2020 6:35 AM
A friend who pays more attention to this stuff than I do argued to me that a lot of people are missing the point here. It’s not something that was drafted for the deal itself; it incorporates an Annex to some existing EU legislation. Which is obviously now out of date, and I’m not defending that, but (my friend argued) the deal had no choice but to replicate the current EU legislation, as out of date as that may be.
I’m not familiar enough to know for sure whether it is true that the authors of the deal were bound to use the existing legislation or whether they had the option of updating it if they so chose, but their arguments did somewhat change my mind about this. Obviously still a problem, just maybe a different one to that which it at first to be.
Original legislation is here: https://www.legislation.gov.uk/eudn/2008/616/annex/chapter/1/adopted