In message <[EMAIL PROTECTED]> on Fri, 5 Jul 2002 18:45:12 +0300,
Vadim Fedukovich <[EMAIL PROTECTED]> said:
vf> see a program attached for details. It handles numbers of 1024 bit range
vf> doing Shamir secret sharing.
Secret sharing is something I've been pondering implementing in
OpenSSL for a while now, on and off. Too bad your snipet of code is
licensed under the GPL, that makes it unusable to be included in
OpenSSL, if you'd be inclined that way.
Anyhow, I'm not going to discuss licenses, that's not the purpose of
this letter. Instead, I'd like to discuss protocol and usability.
Shamir's method is beautiful and really easy to understand with a
certain minimum of mathematical knowledge. However, it doesn't give
any hint on how to protect the shares (understandably, of course).
To use it as a part of OpenSSL, and especially as part of the openssl
application (as well as other applications based on OpenSSL), one
needs to collect the shares in one place, one way or the other.
I'm imagining the following scenario:
- We implement the shared secret PEM file, with the identity "SHAMIR
SHARED SECRET", which would contain an ASN.1 blob (for which we'd
need to define a module) containing the prime p (assuming we use
modular arithmetics for the calculations), the small number x (the x
coordinate of the point that is your share) and the share itself.
This would then be protected the same way we currently protect
private keys. This part is actually rather easy.
- I get involved in a sensitive project where shared secrets are used
for protection. The implementation I see right now is that each
participant inserts his or her diskette, tells the software what the
name of the file on that diskette is and gives a password when
prompted for it...
The last part is somewhat of a problem, security-wise. I mean, when I
play with my own software, use my own private key protected
appropriately, running on my laptop that isn't connected to anything
and that has been checked for trojans, viruses and whatever, I feel
rather safe signing some document, removing the diskette and
reconnecting to the net in some fashion (no, I don't usually do things
in quite such a paranoid fashion. My laptop is secure enough and
checked enough for my use). However, sticking that same diskette on
another system and giving it a password, when I'm not entirely certain
there's no stealth program listening to the keyborad input and
secretly taking a backup of my diskette, isn't something I would do
without a lot of guarantees, and then I would still be suspicious.
Is there any scheme that would make the use of shared secrets a bit
safer, or will this simply come down to each participant's trust in
the system where the shared secret is used?
For perfect safety (as closely as you can get to it), hardware devices
like nCipher (who uses some kind of shared secret for the admin cards
in the nForec boxes, I believe) are of course the option. However, I
don't have the funds for that, and I'd really like to know of any
software variant that is as close to safe as I'd like.
Anyone? URLs are perfectly fine as pointers :-).
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
