[Cryptography] Key escrow scheme
Phillip Hallam-Baker
phill at hallambaker.com
Thu Apr 6 08:11:49 EDT 2017
If we are going to encourage people to use strong encryption for stored
data, the absolute first priority must be to make sure they don't
cryptolocker themselves and lose the pictures of the kids.
Making such a scheme usable is somewhat tricky because we would want to
make the shares used to secure the key to be as small as possible for
convenience which indicates 128 bit work factor for the master key. But I
would really like to make use of 256 bit AES throughout. This got me
thinking about the nature of the work factor requirement with more
precision than just 'make it 256 bit WF everywhere. In particular I want
* A 2^128 WF against brute force attack
* A 2^256 WF against related key attacks
It seems very probable that any conventional machine attack that is more
efficient than brute force is going to be exploiting some form of related
key attack. Even with quantum, the efficiency is coming with the ability to
test on relations between multiple keys simultaneously.
[BTW, has anyone considered the possibility that the Skyrim God of the dead
Shor is a reference to Peter Shor. Skyrim's world is of course entirely
generated by computer and an algorithm that breaks crypto...]
So my scheme is the following:
1) Generate a 128 bit master secret using the best random number generation
available.
2) Split the master secret into m of n shares using XOR is m=n=2 and Shamir
secret sharing otherwise.
3) Stretch the key using HKDF (RFC 5869). The parameters are
* Master salt (applies to the set of keys) is constructed from the IANA
protocol identifier plus a protocol specific extension.
* Key salt, is the key function 'Encrypt', 'Authenticate'.
4) Encrypt the private key set using AES-256. Right now I am using CBC and
HMAC-SHA-2-512 but I will move to GCM when I can.
5) The identifier for the key is a UDF fingerprint formed using a one byte
version prefix, SHA-2-512, base 32 encoding of the master secret and
truncating to 25 significant characters.
6) Publish the escrow package to the Mesh.
What I hope to achieve with this scheme is a situation where brute force
attacks and anything more powerful are both infeasible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170406/291702db/attachment.html>
More information about the cryptography
mailing list