Today's Debate: Does Elcomsoft hack kill digital signatures?

At the heart of the SAFE-Biopharma plan enabling electronic medical records with security is the idea that doctors won't have to carry digital keys.

Instead, Arcot Systems will maintain a database of keys and users will authenticate to that system using simple passwords.

It is this, the use of basic passwords for authentication, which is threatened by a patent pending technique from ElcomSoft of Russia.

What the company did was to off-load the task of trying new passwords to a graphics processor, specifically an nVidia GoForce board. The graphics chip is designed to race through such simple tasks, so ElcomSoft says it can crack passwords 25 times faster than any system using a main chip.

This means that passwords are not safe. Not safe enough for medical records anyway.

One possible solution is to use real keys, to embed a digital signature in a stick memory that the doctor or pharmacist carries around. There are already password programs like RoboForm which run on stick memories. Outfitting such a program with a full 140-digit or 145-digit digital key is not a big deal.

But now, in a way, we're back to square one. Keys can get lost. They can get stolen. They can be misused. How do you authenticate that the user of a key is the person who is entitled to use the key?

The policy question of electronic records, then, meets squarely with the technical question of protecting passwords or digital signatures. In order for the first to proceed, the second has to be solved in a standard manner which everyone agrees to and which is inexpensive to implement.