Systems that split a password among N nodes, such that no less than N can collaborate to verify guesses, are described in: www.integritysciences.com/links.html#FK00 and www.integritysciences.com/links.html#Jab01
For N=1, some kind of special hardware embedded solution seems to be required. Think smartcards, TCPA, and initiatives to build this general capability into standard PC BIOS such as: www.phoenix.com/Security/products/index.html -- David At 10:24 PM 3/20/2002 -0500, Pat Farrell wrote: >At 01:45 PM 3/21/2002 +1100, McMeikan, Andrew wrote: > >Question. Is it possible to have code that contains a private encryption > >key safely? Every way I look at it the answer seems no, yet some degree of > >safety might be possible by splitting an encrypting routine across several > >nodes. Can someone give me a pointer to any work in this area? > >I don't believe so, but maybe someone else on the list has a better answer. >Secret splitting will clearly make it harder for Mallet to gather the key. > >In the past Atalla (later Compaq, now HP) and Harris sold hardware boxes that >kept keys in tamper proof boxes. They worked because opening the box lost the >key. Banks used them heavily in the late 1990s. > >The usual good solution is to make a human type in a secret. >The usual bad solution is to store it in a secret place, or encrypted with >a key kept elsewhere (source, secret file, LDAP, etc.) > >The old CyberCash wallet, which used strong RSA keys, used simple 56bit DES >to protect the private key on the local PC's hard disk. The thinking was >that user won't use more entropy in their keys to really justify 3DES, >and once one has physical access to the computer and hard drive, there >are simpler attacks than breaking the crypto on the key: keystroke >sniffers being >one obvious example. > >I'd also love to hear of real solutions to protecting a key stored on >local disk > >Pat --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]