Cryptonomicon.Net - Key Splitting : First (and Second) Person Key Escrow

R. A. Hettinga rah at shipwright.com
Tue Apr 13 09:30:26 EDT 2004 

<http://www.cryptonomicon.net/modules.php?name=News&file=print&sid=742>


 Key Splitting : First (and Second) Person Key Escrow
Date: Monday, April 12 @ 08:00:00 EDT
Topic: Algorithms / Asymmetric Cipher



 One of our missions here at Cryptonomicon.Net is to advocate the use of
appropriate cryptographic technology. One technology that's sorely missed
in a number of commercial products is key splitting. Never heard of key
splitting? That's not surprising. A recent google search on 'key-split' and
'key-splitting' turned up about 6000 results, while a search on 'PKI'
returned over a million hits. 'Secret Sharing', the technical term,
produces a few more hits, but not nearly as many as 'PKI'.




 Key Splitting, sometimes inaccurately called First Person Escrow, is a
technique by which some "secret" string of bits (like you're web server's
private key) is "split" into two or more "shares." The shares are
distributed to trusted individuals to hold safe until such time as they are
needed. In the event that your secret is destroyed (or more likely you
forget the PIN or password used to encrypt your web server's private key,)
the shares are recombined to recover the secret. Key Splitting is like an
insurance policy for your keys.

 There are more than a couple algorithms for creating key shares. Menezes,
et al.'s Handbook of Applied Cryptography presents the subject in a good
way. We especially like the Handbook of Applied Cryptography as a source,
as they provide a good deal of the math for math-minded implementors, but
also spend time discussing the development of ideas and algorithms. Readers
can also download sections of the "HAC" as .PDF's. Bruce Schneier's
perennial favorite Applied Cryptography also describes key splitting
algorithms, and for the less mathematically inclined has an expanded "plain
English" description.

 Why should you care about Key Splitting? With the growth of crypto-enabled
products: browsers, email clients, VPN clients, wireless access points, et
cetera; more and more people are using strong encryption to protect their
privacy or to establish their online identities. But in the rush to get
products out the door, sometimes product managers forget to support proper
key management techniques. While we've yet to see a product that gives out
it's private keys to anyone who asks, we have seen a number of products
where keys are encrypted under device master keys. What happens if you lose
the device master key? Well... the answer from the support people is "don't
lose the master key!" Some of these products have master keys derivable
from serial numbers and salt values. One product we've seen (and you know
who you are) derives it's device master key from it's serial number without
salting. An attacker wishing to steal the device's master key (and all of
the keys it protects) needs only to hash all possible serial numbers. As
there were less than 10,000 of these devices made, this is certainly a
tractable problem for an attacker.

 Key Splitting allows your IT staff to essentially back up the
cryptographic module protecting your sensitive secret and private keys. If
you're thinking that this sounds like it could be a security problem, then
give yourself a few extra points. Key Splitting systems should be used in
conjunction with a well defined IT process to protect the integrity of the
system. There are, fortunately, several examples of how to properly do key
splitting from a procedural point of view; your local CISSP should be able
to find a process that works for you as it's unlikely that any one process
will work for ALL environments.

 If you are in a position where you specify security features for your IT
infrastructure, surprise your sales rep by asking "What key splitting
features does your product support?" Give the supplier extra points if the
sales rep understands what you're asking.

 If you are a product manager, please add key splitting to the list of key
management features in your product. Security is playing a larger role in
modern IT systems, and customers are starting to add modern key management
features to their list of "best common practices." By supporting your
customers' practices, you're only making your products more marketable.







 This article comes from Cryptonomicon.Net
http://www.cryptonomicon.net/

 The URL for this story is:
http://www.cryptonomicon.net//modules.php?name=News&file=article&sid=742

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list