HarvsG
commented
3 years ago although the namespace for requesting random images is huge, so unlikely to be compromisable in a practical amount of time
The namespace of a SHA256 is huge but the namespace of all possible NHS numbers is only about 10^10, with approx 10^8 valid NHS numbers in existence one could expect the hash of a guessed NHS number to return a valid Pavatar endpoint 1 guess out of 10^2 - quite easy. It would take a modern GPU seconds to minutes to generate the SHA-256 hash of every possible NHS number. (10^10/3000 Mh/s)
I think it would make sense to add something to the NHS Number before hashing, as a 'salt' (although it wouldn't be a true salt as it would have to be known to the client) or otherwise. Maybe Date of Birth?
In the NHS there has been discussion about ways to enable a patient photo to be obtained by legitimate care systems, to enable safer identification of the correct patient, and to help make healthcare more 'human-scale' when dealing with electronic patient records.
Gravatar does this already...
Gravatar (Globally Recognised Avatar) stores an image of the user, but it is only accessible if you know the MD5 hash of the user's email address. Because hashing is a one-way function, you must have access to the email address in the first place. MD5 is considered broken so I would suggest SHA-256 and the use of a 'salt' added to the hash to increase the difficulty of rainbow table or dictionary attacks.
Pavatar (Patient Avatar):
But instead of email address, we could link it to a patient's NHS number. A national central web service (an API) on HSCN would exist so that any EPR, PAS or other system could obtain a patient avatar photo.
NHS number: 123 456 7890 NHS number SHA256 Hashed NHS number: c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646
Web request:
GEThttps://nww.patient-avatar.nhs.uk/c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646Response:
200 OKand image fileAdditional security: