In message <[EMAIL PROTECTED]> on Fri, 5 Jul 2002 18:45:12 +0300, Vadim Fedukovich <[EMAIL PROTECTED]> said:
vf> see a program attached for details. It handles numbers of 1024 bit range vf> doing Shamir secret sharing. Secret sharing is something I've been pondering implementing in OpenSSL for a while now, on and off. Too bad your snipet of code is licensed under the GPL, that makes it unusable to be included in OpenSSL, if you'd be inclined that way. Anyhow, I'm not going to discuss licenses, that's not the purpose of this letter. Instead, I'd like to discuss protocol and usability. Shamir's method is beautiful and really easy to understand with a certain minimum of mathematical knowledge. However, it doesn't give any hint on how to protect the shares (understandably, of course). To use it as a part of OpenSSL, and especially as part of the openssl application (as well as other applications based on OpenSSL), one needs to collect the shares in one place, one way or the other. I'm imagining the following scenario: - We implement the shared secret PEM file, with the identity "SHAMIR SHARED SECRET", which would contain an ASN.1 blob (for which we'd need to define a module) containing the prime p (assuming we use modular arithmetics for the calculations), the small number x (the x coordinate of the point that is your share) and the share itself. This would then be protected the same way we currently protect private keys. This part is actually rather easy. - I get involved in a sensitive project where shared secrets are used for protection. The implementation I see right now is that each participant inserts his or her diskette, tells the software what the name of the file on that diskette is and gives a password when prompted for it... The last part is somewhat of a problem, security-wise. I mean, when I play with my own software, use my own private key protected appropriately, running on my laptop that isn't connected to anything and that has been checked for trojans, viruses and whatever, I feel rather safe signing some document, removing the diskette and reconnecting to the net in some fashion (no, I don't usually do things in quite such a paranoid fashion. My laptop is secure enough and checked enough for my use). However, sticking that same diskette on another system and giving it a password, when I'm not entirely certain there's no stealth program listening to the keyborad input and secretly taking a backup of my diskette, isn't something I would do without a lot of guarantees, and then I would still be suspicious. Is there any scheme that would make the use of shared secrets a bit safer, or will this simply come down to each participant's trust in the system where the shared secret is used? For perfect safety (as closely as you can get to it), hardware devices like nCipher (who uses some kind of shared secret for the admin cards in the nForec boxes, I believe) are of course the option. However, I don't have the funds for that, and I'd really like to know of any software variant that is as close to safe as I'd like. Anyone? URLs are perfectly fine as pointers :-). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]