[Cryptography] Secret sharing for family members

Phillip Hallam-Baker phill at hallambaker.com
Fri Oct 16 10:49:13 EDT 2020 

[Earlier comments lost from the thread]

OK so I do not have code right now that is responsive to the original
question. I may have code in a few weeks or months but releasing encryption
code is a tricky thing, I want to be as certain as I can before launch.

I don't see anyone else with a product there that really meets this need.
So what I propose to do instead is look at what it would take to get us
there.

On Fri, Oct 16, 2020 at 8:21 AM Jerry Leichter <leichter at lrw.com> wrote:

>
> >>> Store an offline copy (such as a CD) of the password manager file
> >>> holding all those digital estates in a safe....
> > Now it is easier with a USB "disk" or SD card and an essential printed
> HOWTO,
> > all held in a safe deposit box along with the HOWTO in custody
> elsewhere, such
> > as wherever a copy of your will is retained.  Refresh appropriately from
> > time-to-time.
> Neither writable CD's nor SSD media are good for long-term storage.  Both
> will deteriorate and become unreadable in a fairly small number of years.
> Given the underlying nature of the task here - making data available to
> heirs - the limits on the lifetime of the media is significant.
>

I see no value in them at all for data storage. The only reason I use them
at all is that if I buy music from the iTunes store, I have to go through a
faf to get the data. I have a process for ripping CDs. It is pretty clear
that CDs will be gone soon. SSDs have a finite lifetime. but lets do this
systematically:

Confidentiality - can anyone read the data before they should?
Integrity - can the data be modified without detection?
Availability - could we lose the data?

The most important of these is the last so we should consider it first.

At this point the only data that a normal user is likely to have that is
going to tax their storage system is video. Even a professional
photographer shooting 45MP RAW would have difficulty filling up a hard
drive with stills.

So it looks to me like the best solution for availability is going to be to
outsource that to a cloud service. And it seems to me that a $25 one off
fee for a small amount of permanent storage (50GB say?) separate from
everything else would be quite practical.

There is a marketing issue there in that the only companies that I would
trust to provide such a service, that is are likely to still exist in ten,
fifty years time are ones that are unlikely to be interested in offering
it. The only one that might is Google which has a really rotten reputation
when it comes to committing to support their services over long periods of
time.


OK, so cloud means we have to have confidentiality which means encryption.



> Others have suggested, for other reasons, going with paper.  Paper, if
> reasonably carefully stored, should remain readable for many decades.  Go
> with acid-free paper and store it in a safety deposit box and it should be
> good for many centuries.
>

UDF Shamir secrets are simply Base32 strings with separators:

   f(1) = SAYN-KTFM-QSEH-5LYP-HTSI-XEV4-MFCG-E
   f(2) = SAYR-CV3K-UBS5-PIKF-SUD2-5PGS-IR3H-6
   f(3) = SAZH-5BO3-QPXT-AZ7Z-YHMJ-YTSZ-TI4R-O
   f(4) = SAZR-ZV77-F4SI-SAZL-YNLV-IR2S-MKF4-I
   f(5) = SA2O-YTOV-UIC6-C4W3-TGB5-NJ54-TVXO-Y

The above are five shares with a threshold of three which may be used to
recover a 128 bit master secret which is a sufficient work factor for the
non quantum cryptanalysis case. If you want 256 bits, the shares will each
be twice as long.

There is a small amount of control information in the above, the first two
bytes specify the type of key (Shamir/Lagrange secret share), the x
coordinate and the threshold.


> I wouldn't go fancy with QR codes - a technology that might fade.  Just
> use a couple of randomly chosen worss - easy for anyone to type, easy to
> get enough entropy for a portion of a key.
>

At this point, QR codes will be with us for the next thousand years. There
might be a better technology but it will supplement, not replace.



> I don't know of any stock program to do this kind of secret splitting and
> recombining, but the algorithms are simple enough.  You could include a
> listing of such a program on the sheet of paper just in case the program
> itself isn't readily available years from now.  I'd suggest FORTRAN as it's
> likely to survive us all. :-)
>

meshman does exactly that but it isn't quite ready for use yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201016/f556e8a2/attachment.htm>

More information about the cryptography mailing list