At 04:59 PM 03/29/2000 -0800, John Gilmore wrote:
>>>Are there any freely-available secret-sharing packages around?
Specifically,
>>>I need to be able to set up modestly complex policies to protect a
sensitive
>>>signature key.
>>
>> I use Hal Finney's "secsplit". Google found it in a couple of places; it
>> doesn't seem to have been updated since 1993.
>
>This is why I don't recommend secret-sharing for important DNSSEC
>private keys. Using infrequently maintained software increases the
>risk of losing the key, perhaps years from now when you suddenly
>decide you need it.
..... [suggested plan, deleted].
>I'd put it as ink on good paper inside steel, rather than rely on some
obscure
>secret sharing software from ten years earlier, that won't run on
>modern bloodstream-resident computers.
Modestly complex policies probably require real software,
particularly if you're trying to be efficient and fast.
But for John's problem, it makes more sense to go for simple.
For the long term, it's much more likely that any computer media
will be hard to find usable readers for in the future,
and complex data formats like PGP's and X.509's ugly bit-twiddlers
make it *much* more difficult to use. The fundamental algorithms
for secret-sharing and RSA can all be done with bignums
and short paper documentation, and you can do the complex parts
(e.g. good random number generation) up front with your existing tools
and keep the downstream work to simple stuff.
If all you need is to do N-Way splitting, without M-of-N redundancy,
generate N-1 nonces the same length as the secret, and calculate
Share1 = Nonce1
....
ShareN-1 = NonceN-1
ShareN = Secret Xor Nonce1 Xor ... Xor NonceN-1
print them on paper with an indication of what they are
and the algorithm used and where the parts are stored,
store securely, and when needed, calculate
Secret = ShareN Xor Share1 Xor ... Xor ShareN-1
A crude redundancy approach is to just store two copies of each piece,
which should be adequate if you're just splitting a few ways.
If you really need M-of-N for reliability, use Shamir sharing,
and make sure all the secret-reconstruction calculations can be done by
any convenient bignum calculator (as opposed to the XOR method,
which can be done by hand or abacus :-)
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
