lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200502191024.j1JAOKMa027959@vaticaan.Holland.Sun.COM>
Date: Sat, 19 Feb 2005 11:24:20 +0100
From: Casper.Dik@....COM
To: John Richard Moser <nigelenki@...cast.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: Joint encryption?



>The case where N = 1 is simple authentication; the case where N = M is
>an easily solvable problem in the scope I'm looking at.  I'm interested
>in the case where N > M and the data is encrypted.
>
> - Key is fragmented
> - Fragments are indpendently encrypted
> - Each user who can authenticate can decrypt PART of the key, but not
>all of it
> - M of the N users are needed to decrypt enough of the key to access
>the key in total

When you fragment the key as you propose, there's a danger of making
the remaining fragment bruteforcable by "M-1" users as they're
left to guess only 1/Mth of the key.

I'd argue the best way is to give each of the M users a bit
vector the length of the key and XOR the M vectors to get
the key vector.  This way, the security of the key is as strong
whether you have 1 , 2 .. upto M-1 fragments.  (Of course,
you should also require each of the users to decrypt their
key vectors)

Effectively, none of the users know any key bits by themselves.

>The problem is that I need a guaranteed way to create data for any valid
>N and M where N >= 3 > M >= 2 in which access to M fragments of the key
>(each fragment is encrypted) can be used to gain access to the rest of
>the fragments, which in turn allows any selection of M users to
>authenticate and gain physical access to the key.

Exponentional might not be bad if you know that the numbers
will be small; in O(N^M) space a solution is trivial.

Casper


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ