The BBC is reporting today that the Brexit deal, nearly 2 years in the making, barely a week old, and unanimously approved by all 27 EU member states, appears to have sections that are likely to have been cut-and-paste from decades old legislation and havent been proof-read by anyone who understands the security implications.
About three quarters of the way into the document is an explanation has to how DNA profiles will be securely shared between member states via email:
- “Encrypt, THEN sign”. Ok, they got that bit right.
- “Encryption WILL be with either AES with symetric key size of 256 bits, or RSA with 1024 bit asymetric keys.”
- Hashing will be achieved with SHA-1
In 2003, RSA Security claimed that 1024-bit keys were likely to become crackable some time between 2006 and 2010, while 2048-bit keys are sufficient until 2030.
SHA-1 has been known to be insecure for 15 years. US Federal agencies have been banned from using this method of digital signature for a decade.
The document then goes on to call Mozilla Mail (superceded by SeaMonkey in 2006) and Netscape Communicator 4.x (not updated since 2002) ‘modern email software packages’, although it stops short of enforcing their use. It does, however, say that the Java Mail API (who’s final release was August 2018) and the Bouncy Castle JCE will be used to produce prototype systems to exchange DNA profiles, vehicle registration data and fingerprints between member states.
The entire document can be downloaded from gov.uk