Key safety vs Backup : History of a bad day (key-restoration problem)

Atom Smasher atom at smasher.org
Sun Oct 28 11:42:48 CET 2007 

On Sun, 28 Oct 2007, Robert J. Hansen wrote:

> Ack!  Ack!  One time pads!  Ack!
>
> I really, really wish the Vernam cipher was either lesser known or 
> better known.  If it was lesser known, fewer people would advise ever 
> using it.  If it was better known, more people would understand its 
> phenomenal shortcomings.
>
> Point blank: unless you can spend a lot of money on training and 
> infrastructure, you are almost always better off using conventional 
> crypto.  The Vernam cipher is /expensive/ to use properly, precisely 
> because it is so unforgiving of any kind of failing.
>
> The secret sharing idea isn't a bad one, but using the Vernam cipher to 
> do it is a very bad idea.  The Shamir Secret-Sharing Protocol works 
> much, much better for this purpose.
==================

used for general purpose crypto; yeah, it sucks. as you mentioned the 
training and infrastructure required to deploy it make it impractical. but 
the only skill required to hold a share of a secret is to not lose it, and 
maybe to destroy it if needed. training and infrastructure issues don't 
apply.

1) there are some very simple OTP applications that let you use your 
favorite random sources (lava-lamp, cosmic-ray detector, CCD camera 
watching traffic, etc) and generate cipher text. maybe someone is using an 
RSS from slashdot as a random source, but it's just as easy to use a 
decent source of entropy.

2) AFAIK the shamir secret sharing protocol is great in theory, but there 
just aren't any practical ways to use it (read: applications). i really 
don't want to do all that math by hand any time a want to break a secret 
into shares, or reassemble them.

i wouldn't generally advocate a vernam cipher for encrypting messages, but 
i think it is the best real-world-practical way to do secret sharing (at 
least until someone builds an application that ~uses~ a real secret 
sharing algorithm). the only practical drawback is that it doesn't support 
thresholds... if one share is missing the secret cannot be recovered. the 
only way around this is to make sure that each share is held by more than 
one person.


-- 
         ...atom

  ________________________
  http://atom.smasher.org/
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"The hottest places in hell are reserved for those who in
 	 times of great moral crises maintain their neutrality."
 		-- Dante Aleghieri (1265-1321)

More information about the Gnupg-users mailing list