There are several known algorithms for Secret Sharing - see
http://en.wikipedia.org/wiki/Secret_sharing

Simon
On Tue, Mar 5, 2013 at 1:35 PM, Joe Hourcle
<onei...@grace.nascom.nasa.gov>wrote:

> On Mar 5, 2013, at 8:29 AM, Adam Constabaris wrote:
>
> > An option is to use a password management program (KeepassX is good
> because
> > it is cross platform) to store the passwords on the shared drive,
> although
> > of course you need to distribute the passphrase for it around.
>
> So years ago, when I worked for a university, they wanted us to put all of
> the root passwords into an envelope, and give them to management to hold.
>  (we were a Solaris shop, so there actually were root passwords on the
> boxes, but you had to connect from the console or su to be able to use 'em).
>
> We managed to drag our heels on it, and management forgot about it*, but I
> had an idea ...
>
> What if there were a way to store the passwords similar to the secret
> formula in Knight Rider?
>
> Yes, I know, it's an obscure geeky reference, and probably dates me.  The
> story went that the secret bullet-proof spray on coating wasn't held by any
> one person; there were three people who each knew part of the formula, and
> that any two of them had enough knowledge to make it.
>
> For needing 2 of 3 people, the process is simple -- divide it up into 3
> parts, and each person has a different missing bit.  This doesn't work for
> 4 people, though (either needing 2 people, or 3 people to complete it).
>
> You could probably do it for two or three classes of people (eg, you need
> 1 sysadmin + 1 manager to unlock it), but I'm not sure if there's some
> method to get an arbitrary "X of Y" people required to unlock.
>
> If anyone has ideas, send 'em to be off-list.  (If other people want the
> answer, I can aggregate / summarize the results, so I don't end up starting
> yet another inappropriate out-of-control thread)
>
> ...
>
> Oh, and I was assuming that you'd be using PGP, using the public key to
> encrypt the passwords, so that anyone could insert / update a password into
> whatever drop box you had; it'd only be taking stuff out that would require
> multiple people to combine efforts.
>
> -Joe
>
>
> * or at least, they didn't bring it up again while I was still employed
> there.
>

Reply via email to