[17457] in cryptography@c2.net mail archive
Re: encrypted tapes
daemon@ATHENA.MIT.EDU (dan@geer.org)
Mon Jun 13 14:53:09 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: dan@geer.org
To: cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 08 Jun 2005 19:15:52 PDT."
<r02010500-1039-677E1420D88C11D9BA730030658F0F64@[192.168.1.5]>
Date: Fri, 10 Jun 2005 16:51:11 -0400
On 6/8/05, perry@piermont.com (Perry E. Metzger) wrote:
-+------------------------------------------------------
| If you have no other choice, pick keys for the next five years,
| changing every six months, print them on a piece of paper, and put it
| in several safe deposit boxes. Hardcode the keys in the backup
| scripts. When your building burns to the ground, you can get the tapes
| back from Iron Mountain and the keys from the safe deposit box.
|
Assuming I even understand the problem,
this is, in fact, one of the wonderful
uses of split-key (threshold) crypto;
including scale-down to the individual
desktop.
split K as 2-of-3 quorum
(1) smartcard
(2) laptop
(3) corp server
encrypt disk using K (or another key protected by K, of course)
situations handled
(a) Dan offline inside Faraday cage, use frags 1,2 to do work
(b) fire Dan / confiscate laptop, use frags 2,3 to read disk
(c) Dan leaves laptop in cab, use frags 1,3 to recover from backup
We can (for backup tapes) make 2-of-N
splits. This would allow each tape
of a multi-volume tape set to be
"partially" encrypted in a different
fragment which nevertheless could have
its encryption "completed" by the common
fragment held centrally thus making each
tape a different cryptanalysis problem
for the attacker but without the apparent
key management overhead for the good guys.
As one fragment of a quorum can be set in
advance, that fragment could be common to
several otherwise non-communicating sets
of tapes and thus be the one retained in
that central, good-guy location.
And so forth.
Disclaimer: I am a good enough mathematician
to know how bad a mathematician I really am
so, in the usual Internet practice, a flood
corrections/denunciations will doubtless
now commence.
--dan
ref:
Geer DE & Yung M : Threshold Cryptography for the Masses,
Proceedings, Sixth International Financial Cryptography Conference,
Southampton, Bermuda, 11-14 March 2002.
http://geer.tinho.net/geer.yung.PDF
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
