Re: secret-sharing code
At 13:22 29/03/2000 +0930, Steve Bellovin wrote: Are there any freely-available secret-sharing packages around? Specifically, I need to be able to set up modestly complex policies to protect a sensitive signature key. While source code would be best, I'd also be interested in smart card-based products. I use Hal Finney's "secsplit". Google found it in a couple of places; it doesn't seem to have been updated since 1993. It doesn't do the more complicated schemes, just straight (m, k) splitting. regards, Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm AustraliaVOICE: +61-2-9181-4851 FAX: +61-2-9181-5470 Suite 410, Birkenhead Point, http://people.qualcomm.com/ggr/ Drummoyne NSW 2047232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Re: Can Accountants Compute?
At 10:12 AM -0500 on 3/27/00, Duncan Frissell wrote: In a UK magazine ad, PricewaterhouseCoopers http://www.pwcglobal.com/ says "We are developing a new model of E-Cash for one of the largest global financial organizations". Offhand, I would say 'ecash', from Ecash Technologies, for Deutchebank, which, having just merged with Dresdner is one of the world's top (3?) largest. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Entropy-gathering gizmos for NT?
I'm curious about what all entropy-gathering gizmos, a la "Entropy Gathering Deamon" (EGD) url:http://www.lothar.com/tech/crypto/, might be available for/on NT -- anyone know? My understanding is that such stuff is effectively built-into Win2K -- anyone have comments/observations on that? thanks, JeffH
Re: Entropy-gathering gizmos for NT?
On Wed, Mar 29, 2000 at 07:54:03AM -0800, [EMAIL PROTECTED] wrote: I'm curious about what all entropy-gathering gizmos, a la "Entropy Gathering Deamon" (EGD) url:http://www.lothar.com/tech/crypto/, might be available for/on NT -- anyone know? My understanding is that such stuff is effectively built-into Win2K -- anyone have comments/observations on that? It's built into Microsoft's base CryptoAPI service provider, which is available on Win2K and any Windows OS after Windows 95 I think. You can do something like this: // untested HCRYPTPROV hProvider = 0; BYTE randomBytes[128]; CryptAcquireContext(hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT); CryptGenRandom(hProvider, sizeof(randomBytes), randomBytes);
Re: secret-sharing code
Are there any freely-available secret-sharing packages around? Specifically, I need to be able to set up modestly complex policies to protect a sensitive signature key. I use Hal Finney's "secsplit". Google found it in a couple of places; it doesn't seem to have been updated since 1993. This is why I don't recommend secret-sharing for important DNSSEC private keys. Using infrequently maintained software increases the risk of losing the key, perhaps years from now when you suddenly decide you need it. What I ended up designing was to have a meta-root key whose private key is used to sign perhaps ten "root keys". Keep these root keys under high security, and dole them out one per year, or whenever you need to due to a breach. Keep the meta-root private key under very very high security (my recommendation was to embed it in the structural members of a skyscraper, such that anyone who tried to get it -- the legitimate owner or anyone else -- would have to make a lot of noise for an extended period, in a very public place). I'd put it as ink on good paper inside steel, rather than rely on some obscure secret sharing software from ten years earlier, that won't run on modern bloodstream-resident computers. Perhaps PGP is well enough maintained, though I wonder how many people are actually exercising the split-key feature, and whether it can be used to keep the kind of key that Steve wants to keep. Paper is rather marvelously flexible at things like that. John
