On Thu, 20 Dec 2001, Richard Levitte - VMS Whacker wrote:
> There are devoices out there (I'm thinking of nCipher boxes, but I bet > there are others) where you can protect something (in the nCipher > case, the admin card) with n password, of which any m (m <= n) are > required to unlock the encrypted "something". > > I've heard of two technologies, but have no docs and do not really > know what to search for. The first is to have m*n (or whatever the > formula would be) copies of "something", protected with all the > different needed permutations of the passwords. My gut feeling is > that this method sucks. The second method involves some clever > splitting of "something" and some kind of protection of each part. > > If there's anyone who knows more or can point me in the right > direction, I'd appreciate it. There's "secret sharing" technique often based on system of linear equations. One could solve that given enough equations (shares). LaGrange formula is used to recover the secret. Related techniques are calculating multiplication of two secrets available as shares and doing modular inverse. Equations are good for "any k of n originally distributed share" logic and some research was done on alternative access structures. > My goal is to apply whatever I come up with on usual PEM-formatted RSA > keys, and possibly to insert code in OpenSSL for this. One could apply this sharing to secret exponent for key storage and recover it before using such a key. Alternatively, one could run a protocol by share holders to do power modulo operation using their shares without revealing them and combining results. One could generate a key in shares running another protocol with no single cpu handling the whole key. There are a couple of flavours of sharing technique, some of them suggesting bling trusting share holders and some allowing to detect and locate invalid shares. A nice "share refresh" protocol was suggested: sharing zero value and adding shares of zero to "old" shares resulting in "new" shares set that would recover the same key (secret). Using secret-sharing technique with DH is the easiest idea. RSA and DSA could be implemented as well. Papers/Authors/URLs list might be rather long. I do remember a paper of Boneh and Franklin on key-share generation and there was ITTS project with nice pointers to read futher. "Alternative" secret exponent calculation code suitable for key-share generator was here on this list a year ago and no errors was found since that. Please use it for OpenSSL if it fits somewhere. One will likely need to come up with suitable (agreed?) format for such a shares. CRT numbers are probably irrelevant for shares of RSA key and two other numbers (share index and number of shares) should be saved for a basic sharing scheme. hope this helps, Vadim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
