1 / 16

Key Escrow

Key Escrow. - like leaving your key with a neighbour in case of an emergency. t of n protocol. A key is split into n pieces. Any t of the n pieces (1<=t<=n) are needed to recover the key. Any set of less than t key pieces should not reveal any information about the key.

kyrene
Download Presentation

Key Escrow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key Escrow - like leaving your key with a neighbour in case of an emergency

  2. t of n protocol • A key is split into n pieces. • Any t of the n pieces (1<=t<=n) are needed to recover the key. • Any set of less than t key pieces should not reveal any information about the key.

  3. 2of2 protocol • A key is split into 2 pieces. Both pieces are needed to recover the original key. • Assume the key K is a b bit binary number K=k1 k2 k3…..kb • Each bit ki is either a 0 or a 1 • The size of the key space is 2b

  4. The first key piece X1 is a b-bit string chosen at random. • The second key piece X2 is computed by XORing K and X1 X2 = K  X1 • The key K is recovered by XORing the two key pieces together. K = X1  X2 • Neither X1 nor X2 reveal any information about K on their own since they are both random strings of 0’s and 1’s.

  5. Example (2 of 2 protocol) Generation of Key Pieces The key K = 10110101 Key part X1= 01011010 Key part X2 = 11101111 Recovery of Key Key part X1 = 01011010 Key part X2 = 11101111 The key K = 10110101  

  6. nofn protocol • The 2 of 2 protocol can be generalised to an n of n protocol. • n key pieces X1, X2,……,Xn are created and all are need to recover the original key. • The first n-1 key pieces are chosen at random. • The final key piece is computed by XORing the key K with X1 , X2 , …, Xn Xn =K  X1X2 ……  Xn-1 • The key K is recovered by XORing all of the key pieces together

  7. Generation of Key Parts K = 10100110 X1= 11010101 X2= 00110100 X3= 00110011 X4= 01110100 Recovery of the Key X1= 11010101 X2= 00110100 X3= 00110011 X4= 01110100 K = 10100110 Example (4 of 4 protocol)      

  8. 2 of 3 protocol • Three key pieces are generated. Any two of the three pieces are needed to recover the original key. • This time, think of the key K as a decimal number. We need a parameter p which is a prime greater than K. The value of p does not need to be secret.

  9. 2of3 protocol • Alice, the holder of the key K generates a random number a and 3 further random numbers x1, x2 and x3all different and all between 0 and p. • Alice computes ki = (a*xi +K) mod p for i=1,2,3. • Alice keeps the value a secret, and gives each of the 3 key holders a pair (xi , ki).

  10. Example (2 of 3 protocol) Generation of Key Parts K = 11, p = 19 a = 14, x1 = 3, x2 = 17, x3 = 10 k1 = (14*3 + 11) mod 19 = 53 mod 19 = 15 k2 = (14*17 + 11) mod 19 = 249 mod 19 = 2 k1 = (14*10 + 11) mod 19 = 151 mod 19 = 18 X1 = {3,15} X2 = {17,2} X3 = {10,18}

  11. Recovering K Each key holder has a pair (xi , ki) and knows that ki = (a*xi + K) mod p, but without knowledge of a , this equation cannot be solved. There are p possible values for a and hence p possible values for K. However, if two key holders get together, they can form 2 equations in 2 unknowns which can be solved simultaneously for K.

  12. Suppose the first two key holders share their information. Then they know: k1 = (a*x1 + K) mod p (1) k2 = (a*x2 + K) mod p (2) Multiplying the first equation by x2 and the second equation by x1 gives 2 more equations: (x2 *k1) = (a*x1*x2 ) + (x2* K) mod p (3) (x1 *k1) = (a*x1*x2 ) + (x1* K) mod p (4)

  13. Now subtracting equation (4) from equation (3) gives (x2 *k1) = (a*x1*x2 ) + (x2* K) mod p (3) (x1 *k1) = (a*x1*x2 ) + (x1* K) mod p (4) (x2 *k1 - x1 *k1) = (x2* K) - (x1* K) mod p Or K = (x2 *k1 - x1 *k1) * (x2 – x1)-1 mod p

  14. Example (2 of 3 protocol) Recovery of the Key Suppose key holders 1 and 2 decide to share their information so we know X1 = {3,15} and X2 = {17,2} We have the equations: 15 = 3a +K mod 19 (1) *17 2 = 17a+K mod 19 (2) * 3 (15*17) = (3*17*a) + 17K mod 19 (2*3) = (3*17*a) +3K mod 19 (15*17)-(2*3) = (17K-3K) mod 19 249 = 14K mod 19 The inverse of 14 mod 19 = 15 Therefore K = (249 * 15) mod 19 = (2*15) mod 19 = 30 mod 19 = 11

  15. 2ofn protocol • The 2of3 protocol can be generalised to provide a 2 of n protocol. • The key holders generates as many key pairs (ki, xi) as necessary using the same method as for the 2 of 3 protocol. • Any two key holders can retrieve the original key.

  16. t of n protocol • A similar protocol can be used for any values of t and n where 1< t < n. • Alice needs to choose (t-1) random values a1,a2, ….. ,at-1 and she generates key pairs such that each key holder has an equation in t unknowns (the values of aiand the value of K). • Thus t key holders have to get together to form a set of t simultaneous equations which can be solved to find K.

More Related