key recovery and secret sharing -- towards balancing the interests of individuals and those of...

Key Recovery and Key Recovery and Secret SharingSecret Sharing

-- Towards balancing the -- Towards balancing the interests of individuals and interests of individuals and

those of governments --those of governments --

2

OutlineOutline

the need of balance between the the need of balance between the interests of individuals and those of interests of individuals and those of governmentsgovernments

key escrow as a possible solutionkey escrow as a possible solution controversy over key escrowcontroversy over key escrow commercial key escrow (a positive use commercial key escrow (a positive use

of key escrow)of key escrow) secret sharingsecret sharing

3

Use & Abuse of encryptionUse & Abuse of encryption

Proper use:Proper use:protects privacy of individualsprotects privacy of individualsprotects commercial interests of protects commercial interests of

companiescompanies Abuse:Abuse:

organised crimes (s.a. drug trafficking)organised crimes (s.a. drug trafficking)fraud and corruptionfraud and corruptionterrorismterrorism............

4

Conflict of interestsConflict of interests

individuals’ freedom of speech & individuals’ freedom of speech & communicationscommunications

v.s.v.s.

needs of law enforcementneeds of law enforcement

5

Different directionsDifferent directions

Banning cryptography, i.e., the use of Banning cryptography, i.e., the use of encryption is prohibited.encryption is prohibited.law enforcement is happy, but individuals law enforcement is happy, but individuals

are notare not Free and un-controlled use of Free and un-controlled use of

encryptionencryptionindividuals are happy, but law individuals are happy, but law

enforcement may be in troubleenforcement may be in trouble

6

Spectrum of crypto-usageSpectrum of crypto-usage

Total ban ofencryption

Free use ofencryption?

7

US proposalUS proposal

Key escrow was proposed by US Key escrow was proposed by US government in 1993 as “something in government in 1993 as “something in between”, with the aim to balance between”, with the aim to balance between the interests of individuals between the interests of individuals and those of governmentsand those of governments

8

Basic idea behind the proposalBasic idea behind the proposal

Individuals (and companies) are Individuals (and companies) are allowed to use encryptionallowed to use encryption

But, keys used by a individual must be But, keys used by a individual must be available to law enforcement when available to law enforcement when they wish to monitor the individual’s they wish to monitor the individual’s communicationscommunications

9

““Escrow”Escrow”

1. 1. nn. written legal engagement to do . written legal engagement to do something, kept in third person’ something, kept in third person’ custody until some condition has been custody until some condition has been fulfilled; money or good so kept;fulfilled; money or good so kept;

2. 2. v.tv.t. place in escrow. place in escrow

10

Key escrowKey escrow

A key used by an individual is “split A key used by an individual is “split into two halves”into two halves”

One half is stored in Escrow Agency AOne half is stored in Escrow Agency A The other half is stored in Escrow The other half is stored in Escrow

Agency BAgency B Both agencies are organisations Both agencies are organisations

independent of governmentsindependent of governments

11

Key escrow (2)Key escrow (2)

When police wish to monitor an When police wish to monitor an individual’s communications, they first individual’s communications, they first obtain a court order from judges (the obtain a court order from judges (the court system)court system)

Police then present the court order Police then present the court order to Escrow Agency A to obtain the 1st half to Escrow Agency A to obtain the 1st half

of the individual’s keyof the individual’s keyto Escrow Agency B to obtain the 2nd half to Escrow Agency B to obtain the 2nd half

of the individual’s keyof the individual’s key

12

Key escrow (3)Key escrow (3)

Now police can put the 2 halves Now police can put the 2 halves together and get the individual’s keytogether and get the individual’s key

With the key in their hands, police can With the key in their hands, police can now monitor all communications of now monitor all communications of the individualthe individual

13

Escrowed keyEscrowed key

E Network or Storage

Plain Text Cipher Text Cipher Text

D

OriginalPlain Text

Bob

Secret Key

Alice

Secret Key

EscrowAgency A

EscrowAgency B

14

AnalogueAnalogue

you are allowed to lock your dooryou are allowed to lock your door but you have to leave a copy of your but you have to leave a copy of your

key, half of which is kept by Locksmith key, half of which is kept by Locksmith A and the other half by Locksmith BA and the other half by Locksmith B

When police wish to break into your When police wish to break into your home, they get a court order with home, they get a court order with which they can get the two halves of which they can get the two halves of the copy and hence your keythe copy and hence your key

15

ControversyControversy

does it really work ?does it really work ?how about double encryption by a “bad” how about double encryption by a “bad”

guy ?guy ?what happens if Escrow Agencies A and B what happens if Escrow Agencies A and B

conspireconspirehow do governments trust each other ?how do governments trust each other ?

where is freedom of individuals ?where is freedom of individuals ?does a government have the right to intrude does a government have the right to intrude

into individuals’ privacy ?into individuals’ privacy ?other implications ?other implications ?

16

A positive use of key escrowA positive use of key escrow

Encrypted data become useless if the Encrypted data become useless if the key is lost or forgotten !key is lost or forgotten !Have you ever forgotten your password ?Have you ever forgotten your password ?

To prevent loss of corporate To prevent loss of corporate information, a company can build a information, a company can build a company-wide “key escrow” systemcompany-wide “key escrow” systemQuestion: HOW ?Question: HOW ?

(hint: no police or court system is (hint: no police or court system is involved in this case.)involved in this case.)

17

How to “split” a user keyHow to “split” a user key

bad way(s):bad way(s):K = KK = Kaa K Kbb,,

KKaa is kept by Escrow Agency A, is kept by Escrow Agency A,

KKbb is kept by Escrow Agency B is kept by Escrow Agency B

good ways:good ways:K = K1 K = K1 XORXOR K2, K2,

K1 is kept by Escrow Agency A,K1 is kept by Escrow Agency A,K2 is kept by Escrow Agency BK2 is kept by Escrow Agency B

secret sharing schemessecret sharing schemes

18

An exercise & a questionAn exercise & a question

an exercisean exerciseHow to “split” a key if there are 3 or more How to “split” a key if there are 3 or more

escrow agencies ?escrow agencies ? In the above discussions, all agencies In the above discussions, all agencies

have to be consulted in order to have to be consulted in order to recover a key. An important question:recover a key. An important question:Is it possible to design a system so that Is it possible to design a system so that

some of the agencies, say 4 out of 5, can some of the agencies, say 4 out of 5, can recover a key ?recover a key ?

19

Secret sharing in a bankSecret sharing in a bank

a real world problem:a real world problem:A bank branch has a safe and 3 senior A bank branch has a safe and 3 senior

tellers. tellers. The safe can be opened only by senior The safe can be opened only by senior

tellers, but they do not trust each other. tellers, but they do not trust each other. Can we design a system for the branch Can we design a system for the branch

whereby any 2 of the 3 senior tellers whereby any 2 of the 3 senior tellers together can open the safe, but NO together can open the safe, but NO individual teller can do so.individual teller can do so.

20

(t,n)-threshold secret sharing(t,n)-threshold secret sharing

Consider a group of n participants Consider a group of n participants (=people). Let t <= n.(=people). Let t <= n.

A (t,n)-threshold secret sharing A (t,n)-threshold secret sharing scheme is a method of sharing a key K scheme is a method of sharing a key K among n participants, such thatamong n participants, such thatany t or more participants from the group any t or more participants from the group

can recover the key K, andcan recover the key K, andany t-1 or less participants from the group any t-1 or less participants from the group

can can NOTNOT do so. do so.

21

Real world problemsReal world problems

bank branchbank branchto design a (2,3)-threshold secret sharingto design a (2,3)-threshold secret sharing

key escrow agencykey escrow agency(2,2)-threshold secret sharing(2,2)-threshold secret sharingmore generally, (t,n)-threshold secret sharing.more generally, (t,n)-threshold secret sharing.

E.g. (4,5)-threshold secret sharingE.g. (4,5)-threshold secret sharing millionaire’s willmillionaire’s will

a millionaire with 8 children of which 5 of a millionaire with 8 children of which 5 of them are there when the will is read.them are there when the will is read.

22

Shamir’s (t,n)-threshold schemeShamir’s (t,n)-threshold scheme

Key disposing --- by the dealerKey disposing --- by the dealerinitialisationinitialisationdistributing a share to each of the n distributing a share to each of the n

participants in the groupparticipants in the group Key recovery --- by participantsKey recovery --- by participants

gathering shares from t participantsgathering shares from t participantsreconstructing the key from the t sharesreconstructing the key from the t shares

23

Shamir (3,5)-threshold schemeShamir (3,5)-threshold scheme

Assume that K=13 is a key.Assume that K=13 is a key. Initially the only person who knows Initially the only person who knows

K=13 is the dealer !K=13 is the dealer ! The aim is to construct a threshold The aim is to construct a threshold

scheme so that scheme so that 33 our of the our of the 5 5 participants can recover the key K.participants can recover the key K.

Parameters:Parameters:K=13, t=3, n=5K=13, t=3, n=5

24

Key Disposal -- by dealerKey Disposal -- by dealer

InitialisationInitialisationchooses a prime chooses a prime p > K & p > n+1p > K & p > n+1..

Say p = 17.Say p = 17.chooses 2 (=chooses 2 (=t-1t-1) random non-zero integers ) random non-zero integers

[1,...,p-1], i.e., [1,...,16]. [1,...,p-1], i.e., [1,...,16]. Assume that the following are chosen:Assume that the following are chosen: aa11 = 10 = 10

aa22 = 2 = 2

Form a polynomial of degree t-1:Form a polynomial of degree t-1:pp(x)(x) = = K + aK + a11*x + a*x + a22*x*x22

== 13 + 10*x + 2*x13 + 10*x + 2*x22

25

Key disposal -- by dealerKey disposal -- by dealer

Share distributionShare distributionfor Participant 1for Participant 1

pp(1) =(1) = 13 + 10*1 + 2*113 + 10*1 + 2*12 2 = 8 (mod 17 )= 8 (mod 17 ) gives 8 to Participant 1 as his sharegives 8 to Participant 1 as his share

for Participant 2for Participant 2 pp(2) =(2) = 13 + 10*2 + 2*213 + 10*2 + 2*22 2 = 7 (mod 17 )= 7 (mod 17 ) gives 7 to Participant 2 as his sharegives 7 to Participant 2 as his share


26

Key disposal-- by dealerKey disposal-- by dealer



27

Key recovery -- by 3 participantsKey recovery -- by 3 participants

Assume that 3 participants, say Assume that 3 participants, say Participants 1, 3 and 5 decide to Participants 1, 3 and 5 decide to recover the key K.recover the key K.

Share gatheringShare gatheringthe 3 participants put together their the 3 participants put together their

shares, namely 3 numbers shares, namely 3 numbers 8, 10, 118, 10, 11

28

Key recovery -- by 3 participantsKey recovery -- by 3 participants

Key reconstructionKey reconstructionsolve the following equationssolve the following equationsK + aK + a11 * 1 + a * 1 + a22 * 1 * 122 = 8 (mod 17) = 8 (mod 17)K + aK + a11 * 3 + a * 3 + a22 * 3 * 322 = 10 (mod 17) = 10 (mod 17)K + aK + a11 * 5 + a * 5 + a22 * 5 * 522 = 11 (mod 17) = 11 (mod 17)

the resultthe resultaa11 = 10 = 10aa22 = 2 = 2K = 13K = 13

K = 13 is indeed the key !K = 13 is indeed the key !

29

QuestionsQuestions

With the the (3,5)-threshold schemeWith the the (3,5)-threshold schemeCan 2 or less participants recover the key Can 2 or less participants recover the key

K ?K ?What if more than 3 participants wish to What if more than 3 participants wish to

recover the key ?recover the key ?

30

The DealerThe Dealer

The dealer has to be honest !The dealer has to be honest !can be a person trusted by all can be a person trusted by all

participants.participants.can also be a dedicated program which can also be a dedicated program which

erases all relevant information on the key erases all relevant information on the key K after the shares are distributed K after the shares are distributed successfully.successfully.

31

Combination LockCombination Lock

Assume that a key K is a 4-digit Assume that a key K is a 4-digit number, i.e., K is in [0000,…,9999]number, i.e., K is in [0000,…,9999]

Initially the only person who knows Initially the only person who knows the key K is the dealer!the key K is the dealer!

Construct a Shamir(2.6)-threshold Construct a Shamir(2.6)-threshold scheme so that 2 out of the 6 scheme so that 2 out of the 6 participants can recover the key K.participants can recover the key K.

Hint: choose a 5 digit prime number Hint: choose a 5 digit prime number (say 10007)!(say 10007)!

32

Escrowing DES keysEscrowing DES keys

Assume that a key is a 56-bits DES key Assume that a key is a 56-bits DES key (abut 17 digits)(abut 17 digits)

Initially the only person who knows Initially the only person who knows the key is the dealer!the key is the dealer!

Construct a Shamir(5.10)-threshold Construct a Shamir(5.10)-threshold scheme so that 5 out of 10 escrow scheme so that 5 out of 10 escrow agencies can recover the key K.agencies can recover the key K.

Hine: choose a prime number > 2 Hine: choose a prime number > 2 5656 ! !

key recovery and secret sharing -- towards balancing the interests of individuals and those of...

Documents

individuals key n

key escrow n commercial

governments n key escrow

individuals key slide

escrow slide

halves n

controversy n

proposal n individuals