<http://www.cryptonomicon.net/modules.php?name=News&file=print&sid=742>
Key Splitting : First (and Second) Person Key Escrow Date: Monday, April 12 @ 08:00:00 EDT Topic: Algorithms / Asymmetric Cipher One of our missions here at Cryptonomicon.Net is to advocate the use of appropriate cryptographic technology. One technology that's sorely missed in a number of commercial products is key splitting. Never heard of key splitting? That's not surprising. A recent google search on 'key-split' and 'key-splitting' turned up about 6000 results, while a search on 'PKI' returned over a million hits. 'Secret Sharing', the technical term, produces a few more hits, but not nearly as many as 'PKI'. Key Splitting, sometimes inaccurately called First Person Escrow, is a technique by which some "secret" string of bits (like you're web server's private key) is "split" into two or more "shares." The shares are distributed to trusted individuals to hold safe until such time as they are needed. In the event that your secret is destroyed (or more likely you forget the PIN or password used to encrypt your web server's private key,) the shares are recombined to recover the secret. Key Splitting is like an insurance policy for your keys. There are more than a couple algorithms for creating key shares. Menezes, et al.'s Handbook of Applied Cryptography presents the subject in a good way. We especially like the Handbook of Applied Cryptography as a source, as they provide a good deal of the math for math-minded implementors, but also spend time discussing the development of ideas and algorithms. Readers can also download sections of the "HAC" as .PDF's. Bruce Schneier's perennial favorite Applied Cryptography also describes key splitting algorithms, and for the less mathematically inclined has an expanded "plain English" description. Why should you care about Key Splitting? With the growth of crypto-enabled products: browsers, email clients, VPN clients, wireless access points, et cetera; more and more people are using strong encryption to protect their privacy or to establish their online identities. But in the rush to get products out the door, sometimes product managers forget to support proper key management techniques. While we've yet to see a product that gives out it's private keys to anyone who asks, we have seen a number of products where keys are encrypted under device master keys. What happens if you lose the device master key? Well... the answer from the support people is "don't lose the master key!" Some of these products have master keys derivable from serial numbers and salt values. One product we've seen (and you know who you are) derives it's device master key from it's serial number without salting. An attacker wishing to steal the device's master key (and all of the keys it protects) needs only to hash all possible serial numbers. As there were less than 10,000 of these devices made, this is certainly a tractable problem for an attacker. Key Splitting allows your IT staff to essentially back up the cryptographic module protecting your sensitive secret and private keys. If you're thinking that this sounds like it could be a security problem, then give yourself a few extra points. Key Splitting systems should be used in conjunction with a well defined IT process to protect the integrity of the system. There are, fortunately, several examples of how to properly do key splitting from a procedural point of view; your local CISSP should be able to find a process that works for you as it's unlikely that any one process will work for ALL environments. If you are in a position where you specify security features for your IT infrastructure, surprise your sales rep by asking "What key splitting features does your product support?" Give the supplier extra points if the sales rep understands what you're asking. If you are a product manager, please add key splitting to the list of key management features in your product. Security is playing a larger role in modern IT systems, and customers are starting to add modern key management features to their list of "best common practices." By supporting your customers' practices, you're only making your products more marketable. This article comes from Cryptonomicon.Net http://www.cryptonomicon.net/ The URL for this story is: http://www.cryptonomicon.net//modules.php?name=News&file=article&sid=742 -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]