Post on 18-Jan-2016
Secret Sharing and Secret Sharing and Key EscrowKey Escrow
Supplemental InformationSupplemental Informationfor Cryptology Classfor Cryptology Class
Lecture slides by Richard Lecture slides by Richard NewmanNewman
Secret Sharing and Key Secret Sharing and Key EscrowEscrow
touch on a few topics including:touch on a few topics including: Need for key escrowNeed for key escrow Basic key escrow approaches and historyBasic key escrow approaches and history Secret sharing Secret sharing Threshold schemesThreshold schemes
Need for Key EscrowNeed for Key Escrow Recovery of lost keyRecovery of lost key
Keyholder unable to provide keyKeyholder unable to provide key FF
oorrggootttteenn
IInnccaappaacciittaatteedd
UUnnaavvaaiillaabbllee
Keyholder unwilling to provide keyKeyholder unwilling to provide key DD
iissggrruunnttlleedd ((eexx--)) eemmppllooyyeeee
CCrriimmiinnaall,, eettcc..
Legitimate causesLegitimate causes Organizational informationOrganizational information Law EnforcementLaw Enforcement
Controls on key recoveryControls on key recovery Only allow recovery when it is legitimateOnly allow recovery when it is legitimate Limit recovery to appropriate elementsLimit recovery to appropriate elements
CopyrightCopyright
protects tangible or fixed expression of an idea protects tangible or fixed expression of an idea but not the idea itselfbut not the idea itself
is automatically assigned when createdis automatically assigned when created may need to be registered in some countriesmay need to be registered in some countries exists when:exists when:
proposed work is originalproposed work is original creator has put original idea in concrete formcreator has put original idea in concrete form e.g. literary works, musical works, dramatic works, e.g. literary works, musical works, dramatic works,
pantomimes and choreographic works, pictorial, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, other audiovisual works, sound recordings, architectural works, software-related works.architectural works, software-related works.
Basic Key EscrowBasic Key Escrow
Can store key K with trusted third party SCan store key K with trusted third party S Problem if S is unavailableProblem if S is unavailable Problem if S is compromisedProblem if S is compromised Problem if S is dishonestProblem if S is dishonest
Can encrypt key K with key K’, store K’ with Can encrypt key K with key K’, store K’ with trusted third partytrusted third party Same problems as beforeSame problems as before
Can divide key K into n partsCan divide key K into n parts K = KK = K11 || K || K22 || … || K || … || Kn n But each known part reduces keyspace to search…But each known part reduces keyspace to search… m colluders may be able to guess the restm colluders may be able to guess the rest
Clipper ChipClipper Chip US government program US government program
Wanted all commercial crypto done with ClipperWanted all commercial crypto done with Clipper Algorithm secret initially (Skipjack – finally revealed)Algorithm secret initially (Skipjack – finally revealed) Wanted two parties to hold escrowed key for each chipWanted two parties to hold escrowed key for each chip
LLaaww eennffoorrcceemmeenntt//eexxeeccuuttiivvee bbrraanncchh
JJuuddiicciiaarryy//jjuuddiicciiaall bbrraanncchh
Ultimately died due to strong public resistanceUltimately died due to strong public resistance
Clipper program key escrowClipper program key escrow Used XOR approach K = KUsed XOR approach K = K11 XOR K XOR K22
If KIf K11 is random number, neither K is random number, neither K11 nor K nor K22 reveal info other than key length reveal info other than key length
Secret SharingSecret Sharing
Want to share a secret SWant to share a secret S Say an escrowed keySay an escrowed key
Express S as a numberExpress S as a number Derive shares SDerive shares Sii from S, i=1,2,…,k from S, i=1,2,…,k Each shareholder holds part of SEach shareholder holds part of S No fewer than k of them can derive any No fewer than k of them can derive any
knowledge of Sknowledge of S All k of them can reconstruct SAll k of them can reconstruct S
Shamir’s Polynomial SSShamir’s Polynomial SS
Polynomial of degree k can be specifiedPolynomial of degree k can be specified By k+1 coefficientsBy k+1 coefficients By k+1 distinct pointsBy k+1 distinct points
Secret is P(xSecret is P(x00)) Evaluate P at xEvaluate P at x00
Shares are (xShares are (xii,P(x,P(xii)) for i=1,2,…,k+1)) for i=1,2,…,k+1 Distribute point pairs to shareholdersDistribute point pairs to shareholders Fewer than k+1 points underspecify P(x)Fewer than k+1 points underspecify P(x)
Blakely’s Hyperplane SSBlakely’s Hyperplane SS
Imagine a k-dimensional spaceImagine a k-dimensional space E.g., 3-dimensionsE.g., 3-dimensions
Can specify (k-1)-dimensional hyperplanesCan specify (k-1)-dimensional hyperplanes These must be unique and must all have a common These must be unique and must all have a common
intersection pointintersection point Any two intersect in a (k-2)-dimensional hyperplaneAny two intersect in a (k-2)-dimensional hyperplane E.g., 2-dimensional planes intersect in a lineE.g., 2-dimensional planes intersect in a line
K of these hyperplanes intersect in a pointK of these hyperplanes intersect in a point The point coordinates constitute the shared secretThe point coordinates constitute the shared secret
Threshold SchemesThreshold Schemes Extend secret sharing so that any k of n shareholders can recover secretExtend secret sharing so that any k of n shareholders can recover secret
Useful for fault toleranceUseful for fault tolerance And for threshold authorization policies And for threshold authorization policies
ExamplesExamples Shamir: issue more points of polynomialShamir: issue more points of polynomial
Any k points of a k-1 degree polynomial specify polynomialAny k points of a k-1 degree polynomial specify polynomial
Issue more than k points; any k of them will doIssue more than k points; any k of them will do Blakely: issue more intersecting hyperplanesBlakely: issue more intersecting hyperplanes
Any k hyperplanes in a k-dimensional space specify the secretAny k hyperplanes in a k-dimensional space specify the secret
Issue n>k hyperplanes; any k will doIssue n>k hyperplanes; any k will do
Threshold Scheme UsesThreshold Scheme Uses
Fault tolerant key/secret escrowFault tolerant key/secret escrow Multifactor authenticationMultifactor authentication
Require multiple tokens, passwords, etc.Require multiple tokens, passwords, etc. Allow for fault tolerance – lost token, e.g.Allow for fault tolerance – lost token, e.g. Helps discourage theft (can’t use stolen Helps discourage theft (can’t use stolen
object without the other needed elements)object without the other needed elements) Multiparty authorizationMultiparty authorization
Require multiple parties to sign credentialRequire multiple parties to sign credential May be based on roles – so any k can signMay be based on roles – so any k can sign May be made hierarchicalMay be made hierarchical
SummarySummary
reviewed a range of reviewed a range of topics:topics: Key escrow need, history, approachesKey escrow need, history, approaches Secret sharingSecret sharing Threshold schemes and usesThreshold schemes and uses