Secret-sharing for GPG?

brian moore bem at
Fri Dec 4 20:20:09 CET 1998

On Fri, Dec 04, 1998 at 09:45:40PM -0600, Edward S. Marshall wrote:
> On Fri, 4 Dec 1998, brian moore wrote:
> > This breaks when someone steals the key from the central server: they
> > now have the ability to get around the "must have 2 signatures" rules.
> > If they copy it to a floppy, they can keep it as an insurance package
> > for when they get canned.
> Yes, you have a single point of failure. However, this assumes the
> compromise of the host. Frankly, if someone has compromised a server that
> houses critical keys on it, it's time to start issuing revokations anyway.
> In other words, you can work around this. But...

You're assuming the threat comes from the outside.

I've seen employees fired from ISP's (even those with root) that have
damaged their former employer by being naughty with resources they had
access to while employed.

(And, outside of the ISP world, it happens a lot more often.  At least
most geeks think in binary so you know where they stand.  Civilians are
random and rip off their employers all the time.)

> > There are ways to split keys (mathematically) that allow key sharing
> > with no central secret key storage.
> ...>this< is definitely preferred. ;-) However, unless I'm missing
> something, you still need a centrally stored "half-key", unless you're
> talking about having two unique individuals sign the InterNIC submission
> (which seems like a lot of overhead for nothing)?

But it keeps rogue ex-employees from doing any damage even if they are

> However, even with a central "half-key" stored, it doesn't do an attacker
> who compromises the key any good at all without the other half. If the
> attacker is one of your employees who do InterNIC submissions, though,
> you're stuck back in the same boat as before...

Yep, which is why you don't keep even a half key. :)

> Or did I miss something in your description (I'm probably automating
> things more than you were suggesting...)?

There are methods of splitting the key so that any n pieces out of m
are needed to sign.  You could have 30 employees and require 6 to sign
off.  (And by playing math games, if you give three parts to trusted
employees, it would take only two of them to do it instead of 6
peons.)  You'd have to fire a slew of 'em in order to have their pieces
used against you.  (Enough time to get the Internic to change keys. :))

There's no need to store a central key: things just won't work without
all the pieces.

This is what the commercial PGP supposedly has.  (They call it
'corporate key recovery', which basically allows portions of an
employees keys to be assigned to various corporate officers, so if
three VP's or whatever get together, they can get into an employee's
secured data.  A good thing when someone get hit by a truck and has
the secret plans encrypted on his hard drive.)

With a good mechanism (and I haven't seen PGP's handling of this), it
can be pretty useful.  I'd point you to their website where it explains
the magic, but the silly export rules at where they
have such stuff doesn't work.  (You can play with it all night, but you
still can't get in.)

Brian Moore                       | "The Zen nature of a spammer resembles
      Sysadmin, C/Perl Hacker     |  a cockroach, except that the cockroach
      Usenet Vandal               |  is higher up on the evolutionary chain."
      Netscum, Bane of Elves.                 Peter Olson, Delphi Postmaster

More information about the Gnupg-devel mailing list