Post on 22-Dec-2015
Key Recovery and Key Recovery and Secret SharingSecret Sharing
-- Towards balancing the -- Towards balancing the interests of individuals and interests of individuals and
those of governments --those of governments --
2
OutlineOutline
the need of balance between the the need of balance between the interests of individuals and those of interests of individuals and those of governmentsgovernments
key escrow as a possible solutionkey escrow as a possible solution controversy over key escrowcontroversy over key escrow commercial key escrow (a positive use commercial key escrow (a positive use
of key escrow)of key escrow) secret sharingsecret sharing
3
Use & Abuse of encryptionUse & Abuse of encryption
Proper use:Proper use:protects privacy of individualsprotects privacy of individualsprotects commercial interests of protects commercial interests of
companiescompanies Abuse:Abuse:
organised crimes (s.a. drug trafficking)organised crimes (s.a. drug trafficking)fraud and corruptionfraud and corruptionterrorismterrorism............
4
Conflict of interestsConflict of interests
individuals’ freedom of speech & individuals’ freedom of speech & communicationscommunications
v.s.v.s.
needs of law enforcementneeds of law enforcement
5
Different directionsDifferent directions
Banning cryptography, i.e., the use of Banning cryptography, i.e., the use of encryption is prohibited.encryption is prohibited.law enforcement is happy, but individuals law enforcement is happy, but individuals
are notare not Free and un-controlled use of Free and un-controlled use of
encryptionencryptionindividuals are happy, but law individuals are happy, but law
enforcement may be in troubleenforcement may be in trouble
6
Spectrum of crypto-usageSpectrum of crypto-usage
Total ban ofencryption
Free use ofencryption?
7
US proposalUS proposal
Key escrow was proposed by US Key escrow was proposed by US government in 1993 as “something in government in 1993 as “something in between”, with the aim to balance between”, with the aim to balance between the interests of individuals between the interests of individuals and those of governmentsand those of governments
8
Basic idea behind the proposalBasic idea behind the proposal
Individuals (and companies) are Individuals (and companies) are allowed to use encryptionallowed to use encryption
But, keys used by a individual must be But, keys used by a individual must be available to law enforcement when available to law enforcement when they wish to monitor the individual’s they wish to monitor the individual’s communicationscommunications
9
““Escrow”Escrow”
1. 1. nn. written legal engagement to do . written legal engagement to do something, kept in third person’ something, kept in third person’ custody until some condition has been custody until some condition has been fulfilled; money or good so kept;fulfilled; money or good so kept;
2. 2. v.tv.t. place in escrow. place in escrow
10
Key escrowKey escrow
A key used by an individual is “split A key used by an individual is “split into two halves”into two halves”
One half is stored in Escrow Agency AOne half is stored in Escrow Agency A The other half is stored in Escrow The other half is stored in Escrow
Agency BAgency B Both agencies are organisations Both agencies are organisations
independent of governmentsindependent of governments
11
Key escrow (2)Key escrow (2)
When police wish to monitor an When police wish to monitor an individual’s communications, they first individual’s communications, they first obtain a court order from judges (the obtain a court order from judges (the court system)court system)
Police then present the court order Police then present the court order to Escrow Agency A to obtain the 1st half to Escrow Agency A to obtain the 1st half
of the individual’s keyof the individual’s keyto Escrow Agency B to obtain the 2nd half to Escrow Agency B to obtain the 2nd half
of the individual’s keyof the individual’s key
12
Key escrow (3)Key escrow (3)
Now police can put the 2 halves Now police can put the 2 halves together and get the individual’s keytogether and get the individual’s key
With the key in their hands, police can With the key in their hands, police can now monitor all communications of now monitor all communications of the individualthe individual
13
Escrowed keyEscrowed key
E Network or Storage
Plain Text Cipher Text Cipher Text
D
OriginalPlain Text
Bob
Secret Key
Alice
Secret Key
EscrowAgency A
EscrowAgency B
14
AnalogueAnalogue
you are allowed to lock your dooryou are allowed to lock your door but you have to leave a copy of your but you have to leave a copy of your
key, half of which is kept by Locksmith key, half of which is kept by Locksmith A and the other half by Locksmith BA and the other half by Locksmith B
When police wish to break into your When police wish to break into your home, they get a court order with home, they get a court order with which they can get the two halves of which they can get the two halves of the copy and hence your keythe copy and hence your key
15
ControversyControversy
does it really work ?does it really work ?how about double encryption by a “bad” how about double encryption by a “bad”
guy ?guy ?what happens if Escrow Agencies A and B what happens if Escrow Agencies A and B
conspireconspirehow do governments trust each other ?how do governments trust each other ?
where is freedom of individuals ?where is freedom of individuals ?does a government have the right to intrude does a government have the right to intrude
into individuals’ privacy ?into individuals’ privacy ?other implications ?other implications ?
16
A positive use of key escrowA positive use of key escrow
Encrypted data become useless if the Encrypted data become useless if the key is lost or forgotten !key is lost or forgotten !Have you ever forgotten your password ?Have you ever forgotten your password ?
To prevent loss of corporate To prevent loss of corporate information, a company can build a information, a company can build a company-wide “key escrow” systemcompany-wide “key escrow” systemQuestion: HOW ?Question: HOW ?
(hint: no police or court system is (hint: no police or court system is involved in this case.)involved in this case.)
17
How to “split” a user keyHow to “split” a user key
bad way(s):bad way(s):K = KK = Kaa K Kbb,,
KKaa is kept by Escrow Agency A, is kept by Escrow Agency A,
KKbb is kept by Escrow Agency B is kept by Escrow Agency B
good ways:good ways:K = K1 K = K1 XORXOR K2, K2,
K1 is kept by Escrow Agency A,K1 is kept by Escrow Agency A,K2 is kept by Escrow Agency BK2 is kept by Escrow Agency B
secret sharing schemessecret sharing schemes
18
An exercise & a questionAn exercise & a question
an exercisean exerciseHow to “split” a key if there are 3 or more How to “split” a key if there are 3 or more
escrow agencies ?escrow agencies ? In the above discussions, all agencies In the above discussions, all agencies
have to be consulted in order to have to be consulted in order to recover a key. An important question:recover a key. An important question:Is it possible to design a system so that Is it possible to design a system so that
some of the agencies, say 4 out of 5, can some of the agencies, say 4 out of 5, can recover a key ?recover a key ?
19
Secret sharing in a bankSecret sharing in a bank
a real world problem:a real world problem:A bank branch has a safe and 3 senior A bank branch has a safe and 3 senior
tellers. tellers. The safe can be opened only by senior The safe can be opened only by senior
tellers, but they do not trust each other. tellers, but they do not trust each other. Can we design a system for the branch Can we design a system for the branch
whereby any 2 of the 3 senior tellers whereby any 2 of the 3 senior tellers together can open the safe, but NO together can open the safe, but NO individual teller can do so.individual teller can do so.
20
(t,n)-threshold secret sharing(t,n)-threshold secret sharing
Consider a group of n participants Consider a group of n participants (=people). Let t <= n.(=people). Let t <= n.
A (t,n)-threshold secret sharing A (t,n)-threshold secret sharing scheme is a method of sharing a key K scheme is a method of sharing a key K among n participants, such thatamong n participants, such thatany t or more participants from the group any t or more participants from the group
can recover the key K, andcan recover the key K, andany t-1 or less participants from the group any t-1 or less participants from the group
can can NOTNOT do so. do so.
21
Real world problemsReal world problems
bank branchbank branchto design a (2,3)-threshold secret sharingto design a (2,3)-threshold secret sharing
key escrow agencykey escrow agency(2,2)-threshold secret sharing(2,2)-threshold secret sharingmore generally, (t,n)-threshold secret sharing.more generally, (t,n)-threshold secret sharing.
E.g. (4,5)-threshold secret sharingE.g. (4,5)-threshold secret sharing millionaire’s willmillionaire’s will
a millionaire with 8 children of which 5 of a millionaire with 8 children of which 5 of them are there when the will is read.them are there when the will is read.
22
Shamir’s (t,n)-threshold schemeShamir’s (t,n)-threshold scheme
Key disposing --- by the dealerKey disposing --- by the dealerinitialisationinitialisationdistributing a share to each of the n distributing a share to each of the n
participants in the groupparticipants in the group Key recovery --- by participantsKey recovery --- by participants
gathering shares from t participantsgathering shares from t participantsreconstructing the key from the t sharesreconstructing the key from the t shares
23
Shamir (3,5)-threshold schemeShamir (3,5)-threshold scheme
Assume that K=13 is a key.Assume that K=13 is a key. Initially the only person who knows Initially the only person who knows
K=13 is the dealer !K=13 is the dealer ! The aim is to construct a threshold The aim is to construct a threshold
scheme so that scheme so that 33 our of the our of the 5 5 participants can recover the key K.participants can recover the key K.
Parameters:Parameters:K=13, t=3, n=5K=13, t=3, n=5
24
Key Disposal -- by dealerKey Disposal -- by dealer
InitialisationInitialisationchooses a prime chooses a prime p > K & p > n+1p > K & p > n+1..
Say p = 17.Say p = 17.chooses 2 (=chooses 2 (=t-1t-1) random non-zero integers ) random non-zero integers
[1,...,p-1], i.e., [1,...,16]. [1,...,p-1], i.e., [1,...,16]. Assume that the following are chosen:Assume that the following are chosen: aa11 = 10 = 10
aa22 = 2 = 2
Form a polynomial of degree t-1:Form a polynomial of degree t-1:pp(x)(x) = = K + aK + a11*x + a*x + a22*x*x22
== 13 + 10*x + 2*x13 + 10*x + 2*x22
25
Key disposal -- by dealerKey disposal -- by dealer
Share distributionShare distributionfor Participant 1for Participant 1
pp(1) =(1) = 13 + 10*1 + 2*113 + 10*1 + 2*12 2 = 8 (mod 17 )= 8 (mod 17 ) gives 8 to Participant 1 as his sharegives 8 to Participant 1 as his share
for Participant 2for Participant 2 pp(2) =(2) = 13 + 10*2 + 2*213 + 10*2 + 2*22 2 = 7 (mod 17 )= 7 (mod 17 ) gives 7 to Participant 2 as his sharegives 7 to Participant 2 as his share
for Participant 3for Participant 3 pp(3) =(3) = 13 + 10*3 + 2*313 + 10*3 + 2*32 2 = 10 (mod 17 )= 10 (mod 17 ) gives 10 to Participant 3 as his sharegives 10 to Participant 3 as his share
26
Key disposal-- by dealerKey disposal-- by dealer
for Participant 4for Participant 4 pp(4) =(4) = 13 + 10*4 + 2*413 + 10*4 + 2*42 2 = 0 (mod 17 )= 0 (mod 17 ) gives 0 to Participant 4 as his sharegives 0 to Participant 4 as his share
for Participant 5for Participant 5 pp(5) =(5) = 13 + 10*5 + 2*513 + 10*5 + 2*52 2 = 11 (mod 17 )= 11 (mod 17 ) gives 11 to Participant 5 as his sharegives 11 to Participant 5 as his share
27
Key recovery -- by 3 participantsKey recovery -- by 3 participants
Assume that 3 participants, say Assume that 3 participants, say Participants 1, 3 and 5 decide to Participants 1, 3 and 5 decide to recover the key K.recover the key K.
Share gatheringShare gatheringthe 3 participants put together their the 3 participants put together their
shares, namely 3 numbers shares, namely 3 numbers 8, 10, 118, 10, 11
28
Key recovery -- by 3 participantsKey recovery -- by 3 participants
Key reconstructionKey reconstructionsolve the following equationssolve the following equationsK + aK + a11 * 1 + a * 1 + a22 * 1 * 122 = 8 (mod 17) = 8 (mod 17)K + aK + a11 * 3 + a * 3 + a22 * 3 * 322 = 10 (mod 17) = 10 (mod 17)K + aK + a11 * 5 + a * 5 + a22 * 5 * 522 = 11 (mod 17) = 11 (mod 17)
the resultthe resultaa11 = 10 = 10aa22 = 2 = 2K = 13K = 13
K = 13 is indeed the key !K = 13 is indeed the key !
29
QuestionsQuestions
With the the (3,5)-threshold schemeWith the the (3,5)-threshold schemeCan 2 or less participants recover the key Can 2 or less participants recover the key
K ?K ?What if more than 3 participants wish to What if more than 3 participants wish to
recover the key ?recover the key ?
30
The DealerThe Dealer
The dealer has to be honest !The dealer has to be honest !can be a person trusted by all can be a person trusted by all
participants.participants.can also be a dedicated program which can also be a dedicated program which
erases all relevant information on the key erases all relevant information on the key K after the shares are distributed K after the shares are distributed successfully.successfully.
31
Combination LockCombination Lock
Assume that a key K is a 4-digit Assume that a key K is a 4-digit number, i.e., K is in [0000,…,9999]number, i.e., K is in [0000,…,9999]
Initially the only person who knows Initially the only person who knows the key K is the dealer!the key K is the dealer!
Construct a Shamir(2.6)-threshold Construct a Shamir(2.6)-threshold scheme so that 2 out of the 6 scheme so that 2 out of the 6 participants can recover the key K.participants can recover the key K.
Hint: choose a 5 digit prime number Hint: choose a 5 digit prime number (say 10007)!(say 10007)!
32
Escrowing DES keysEscrowing DES keys
Assume that a key is a 56-bits DES key Assume that a key is a 56-bits DES key (abut 17 digits)(abut 17 digits)
Initially the only person who knows Initially the only person who knows the key is the dealer!the key is the dealer!
Construct a Shamir(5.10)-threshold Construct a Shamir(5.10)-threshold scheme so that 5 out of 10 escrow scheme so that 5 out of 10 escrow agencies can recover the key K.agencies can recover the key K.
Hine: choose a prime number > 2 Hine: choose a prime number > 2 5656 ! !