| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Feb 2005 11:24:20 +0100 From: Casper.Dik@....COM To: John Richard Moser <nigelenki@...cast.net> Cc: bugtraq@...urityfocus.com Subject: Re: Joint encryption? >The case where N = 1 is simple authentication; the case where N = M is >an easily solvable problem in the scope I'm looking at. I'm interested >in the case where N > M and the data is encrypted. > > - Key is fragmented > - Fragments are indpendently encrypted > - Each user who can authenticate can decrypt PART of the key, but not >all of it > - M of the N users are needed to decrypt enough of the key to access >the key in total When you fragment the key as you propose, there's a danger of making the remaining fragment bruteforcable by "M-1" users as they're left to guess only 1/Mth of the key. I'd argue the best way is to give each of the M users a bit vector the length of the key and XOR the M vectors to get the key vector. This way, the security of the key is as strong whether you have 1 , 2 .. upto M-1 fragments. (Of course, you should also require each of the users to decrypt their key vectors) Effectively, none of the users know any key bits by themselves. >The problem is that I need a guaranteed way to create data for any valid >N and M where N >= 3 > M >= 2 in which access to M fragments of the key >(each fragment is encrypted) can be used to gain access to the rest of >the fragments, which in turn allows any selection of M users to >authenticate and gain physical access to the key. Exponentional might not be bad if you know that the numbers will be small; in O(N^M) space a solution is trivial. Casper
Powered by blists - more mailing lists