Is this the first ever practically-deployed use of a threshold scheme?
Jonathan Katz
jkatz at cs.umd.edu
Sat Jul 31 21:42:16 EDT 2010
On Sat, 31 Jul 2010, Jakob Schlyter wrote:
> On 31 jul 2010, at 08.44, Peter Gutmann wrote:
>
>> Apparently the DNS root key is protected by what sounds like a five-of-seven
>> threshold scheme, but the description is a bit unclear. Does anyone know
>> more?
>
> The DNS root key is stored in HSMs. The key backups (maintained by ICANN) are encrypted with a storage master key (SMK), created inside the HSM and then split among 7 people (aka "Recovery Key Share Holders"). To recover the SMK in case of all 4 HSMs going bad, 5 of 7 key shares are required. (https://www.iana.org/dnssec/icann-dps.txt section 5.2.4)
>
> According to the FIPS 140-2 Security Policy of the HSM, an AEP Keyper, the M-of-N key split is done using a La Grange interpolating Polynomial.
>
>
> I'd be happy to answer any additional questions,
>
> jakob (part of the team who designed and implemented this)
This is "just" Shamir secret sharing, not "real" threshold cryptography.
(In a threshold cryptosystem, the shares would be used in a protocol to
perform the desired cryptographic operation [e.g., signing] without ever
reconstructing the real secret.) Has real threshold cryptography never
been used anywhere?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list