> There are devices out there where you can protect something
> with n password, of which any m (m <= n) are
> required to unlock the encrypted "something".
>
> The second method involves some clever
> splitting of "something" and some kind of protection of each part.
My copy of "Applied Cryptology" is hiding, again, but I know
it discusses this. You use the secret to define a set of
linear equations over a finite field, and distribute only some
examples to each person. As a trivial example, if the secret
you want to protect is 25, you might use
x = 2, y = 5, secret = 10 * x + y
3 x + 7 y = 1 (modulo 10)
5 x + 2 y = 0 (modulo 10)
(where the coefficients are picked at random, except you do
want to eliminate any duplicates). You give Alice (3, 7, 1; 10)
and Bob (5, 2, 0; 10). Neither can solve the equation their
information alone, but it's a trivial problem with both keys.
Of course, Alice could enumerate all possibilities that satisfy
her equation. It's not too bad with this equation... but in
practice your secrets won't be that small. For instance, one
secret worth protecting is the 128-bit session key used to
encrypt a sensitive file. If you have half the of the necessary
equations, you still need to explicitly try 2^64 possible keys!
As long as the equations are independent, you can use as many
samples as you wish. This allows you to give some people more
authority, e.g., to allow two senior managers to get access,
but require at least 5 mid-level managers.
> My goal is to apply whatever I come up with on usual PEM-formatted RSA
> keys, and possibly to insert code in OpenSSL for this.
I would suggest that you keep the key in PKCS8 format, but
with a random encryption key that's protected in this manner.
The protected key is best held in a "bag" of some type (perhaps
one of the existing types?), with each entry containing a hash
of the public key (so you can figure out what it decrypts!) and
a sequence of ASN.1 integers for each coefficient and the
result.
A variant of this can be used to make keys that can always be
retrieved by a suitable authority - they just get a bag with
enough samples to solve the equation.
Bear Giles
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
