Secret splitting w/ threshold

Ryan Malayter
Mon Mar 25 20:25:02 2002

From: Werner Koch, 23 Mar 2002 4:46 AM

>OpenPGP does not define any key splitting algorithm. 
>I have some doubts whether this can be accomplised at 
>all using the OpenPGP protocol.  The hard thing with 
>key splitting is to get the usability right.  What PGP 
>provides is not sufficient because (afaik) all parts 
>most be combined on the same machine this does not 
>increase the security unless that machine is physical 
>secure and provides a clean protocol to combine the keys.

The Shamir and geometric threshold schemes are fairly straightforward and
secure protocols, so the usability design isn't really an issue. Simply feed
your sharing program it N shares (as files or whatever), in any order, and
it reconstructs and displays the secret. What's really needed, I suppose,
would be a standard message format that would encapsulate the sharing
algorithm used, the degree of the (m,n) threshold scheme, and the actual
data associated with the share. I would think OpenPGP packet formats could
handle this easily, with appropriate additions to the list of algorithms.

Of course, the question is, is a secret splitting feature useful enough for
it to be added to the OpenPGP standard? I think so. Heck, every organization
should probably share it's administrative pass phrases and keys in such a
secure manner.

Or perhaps a separate, simple "Open Threshold Scheme" standard, based on the
OpenPGP packet format, would be a better idea. Some form of standard is
desirable so that shares can be recovered universally. If I make a custom
program to split disaster recovery passwords for my executives, but both
myself and my custom share combining program are inaccessible when a
disaster recovery needs to be occur, the whole exercise was pointless.

>If your goal is that 2 persons have to sign a document 
>to get a valid signature, you should setup an 
>organisation policy to enforce this and use 2 simple 
>signatures.  It is definitely possible to add some 
>policy enforcement rules to GnuPG.

Signing isn't really the issue. My intent is to share an administrative pass
phrase such that any two executives can get together and reconstruct it, but
one executive losing or compromising his "secret card" doesn't compromise
the pass phrase.