1993-11-12 - Key Sharing Protocols

Header Data

From: an7822@anon.penet.fi (Archimboldo)
To: cypherpunks@toad.com
Message Hash: 8f617eeb83bf3742e02892753195d48238e00b38a60ea22471d389b58c31c6c7
Message ID: <9311122332.AA17912@anon.penet.fi>
Reply To: N/A
UTC Datetime: 1993-11-12 23:33:46 UTC
Raw Date: Fri, 12 Nov 93 15:33:46 PST

Raw message

From: an7822@anon.penet.fi (Archimboldo)
Date: Fri, 12 Nov 93 15:33:46 PST
To: cypherpunks@toad.com
Subject: Key Sharing Protocols
Message-ID: <9311122332.AA17912@anon.penet.fi>
MIME-Version: 1.0
Content-Type: text/plain

I'm working on an internal protocol for securing company records
and I'd like to solicit some net.wisdom.

One of my requirements is to ensure that no data is lost if an
employee quits, is fired, dies, etc. At the same time, I don't
want to have a security officer with the "keys to the castle" for
every user.

I've had these ideas, so far.

*  Use PGP for all encryption, for both E-mail and personal files
   on disk.

*  For personal files, encrypt with your own public key.

This allows all files and communications to be encrypted while
using one passphrase, which may be changed without having to re-
encrypt files.

To allow for loss of a passphrase, for whatever reason, use a
secret sharing protocol to split the secret key of the user into
several pieces, held by designated security officers.
Reconstruction of the key will require cooperation by "n"
security officers. I have some problems with this.

*   While I can extract the secret key from the user's private
    keyring, it is still encrypted by the user's passphrase. Is
    there any method for extracting an unencrypted key?

*   If there is no way to produce an unencrypted key, I could
    have the user extract her key after setting her passphrase to
    some standard value, and then change it again after

*   How can I ensure, without reconstructing the key from my
    secret sharers, that the key and passphrase I have been given
    are, in fact, correct. If I could produce an unencrypted key,
    I would just have to verify that this was the correct private
    RSA key. If the private key can only be extracted encrypted,
    I have to verify both the standard passphrase and the private
    RSA key.

I would be interested in comments and suggestions on this
proposed protocol and the unresolved issues. My intent is that a
user be able to generate a key pair, run a job to split the key
into n segments for the sharers and have the sharers able to
verify that they have the correct key, without having to
reassemble the key.

Has anyone implemented code for any of the secret sharing
protocols, or am I going to have to reinvent this particular
To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.