On Mon, 17 Mar 2003, Tim Churches wrote: ... > In the French and Swiss systems use a secret "salt" or a secret key to > thwart diction attacks, which is I think what Andrew is referring to.
Tim, Adding a "secret salt" will similarly impact the desired record linking capability. It is basically an encryption process where you do your best to throw away the keys :-). In the process, you are throwing away data forever. Again: Without separation of duty, any cryptographically anonymized dataset can be easily re-identified by someone. Of course, if you overwrite the data with random data (or call it "secret salt" but throw away the key) to forever delete data, no one can get to the information, not even yourself. ... > That means that the data store is more prone to dictionary attacks by > the custodian of the central database - so they still need to be > trusted to a degree - but dictionary attacks still require a lot of > resources to decrypt significant proportions of a database (but not > too much for just one or two records). Most likely only one or two records will be needed each time. :-) We have to assume the worst case scenario where the entire "anonymized" database has been copied and the attacker(s) will have the luxury of querying the database for one record at a time whenever a "subject of interest" pops up. Does this scenario seem reasonable to you? > However, use of salting or an extra layer of encryption thwarts people > who steal or get unauthorised access to te database. Unfortunately, it also thwarts the intended "re-identifiable" or "linkable" record feature central to this particular design. The more you "salt", the less information remain. Whatever information remain will continue to be vulnerable to trial encrytion attack. This is hardly a compelling defense when it involves pre-emptively destroying what we wish to protect. Best regards, Andrew --- Andrew P. Ho, M.D. OIO: Open Infrastructure for Outcomes www.TxOutcome.Org
