Jerry Leichter <leich...@lrw.com> writes: >Here's how I would do it: Key segments are stored on USB sticks. There's a >spot on the device with m USB slots, two buttons, and red and green LED's. >You put your "USB keys" into the slots and push the first button. If the red >LED lights - you don't have enough sticks, or they aren't valid. If the >green LED lights, you have a valid key. If the green LED lights, you push the >second button (which is otherwise disabled), and the device loads your key.
That's a good start, but it gets a bit more complicated than that in practice because you've got multiple components, and a basic red light/green light system doesn't really provide enough feedback on what's going on. What you'd need in practice is (at least) some sort of counter to indicate how many shares are still outstanding to recreate the secret ("We still need two more shares, I guess we'll have to call Bob in from Bratislava after all"). Also the UI for recreating shares if one gets lost gets tricky, depending on how much metadata you can assume if a share is lost (e.g. "We've lost share 5 of 7" vs. "We've lost one of the seven shares"), and suddenly you get a bit beyond what the UI of an HSM is capable of dealing with. With a two-share XOR it's much simpler, two red LEDs that turn green when the share is added, and you're done. One share is denoted 'A' and the other is denoted 'B', that should be enough for the shareholder to remember. If you really wanted to be rigorous about this you could apply the same sort of analysis that was used for weak/stronglinks and unique signal generators to see where your possible failure points lie. I'm not sure if anyone's ever done this [0], or whether it's just "build in enough redundancy that we should be OK". Peter. [0] OK, I can imagine scenarios where it's quite probably been done, but anyone involved in the work is unlikely to be allowed to talk about it. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com