# 1 Key Escrow - like leaving your key with a neighbour in case of an emergency.

## Presentation on theme: "1 Key Escrow - like leaving your key with a neighbour in case of an emergency."— Presentation transcript:

1 Key Escrow - like leaving your key with a neighbour in case of an emergency

2 t of n protocol A key is split into n pieces. Any t of the n pieces (1<=t<=n) are needed to recover the key. Any set of less than t key pieces should not reveal any information about the key.

3 2 of 2 protocol A key is split into 2 pieces. Both pieces are needed to recover the original key. Assume the key K is a b bit binary number K=k 1 k 2 k 3 ….. k b Each bit k i is either a 0 or a 1 The size of the key space is 2 b

4 1.The first key piece X 1 is a b-bit string chosen at random. 2.The second key piece X 2 is computed by XORing K and X 1 X 2 = K X 1 3.The key K is recovered by XORing the two key pieces together. K = X 1 X 2 4.Neither X 1 nor X 2 reveal any information about K on their own since they are both random strings of 0s and 1s.

5 Example (2 of 2 protocol) Generation of Key Pieces The key K = 10110101 Key part X 1 = 01011010 Key part X 2 = 11101111 Recovery of Key Key part X 1 = 01011010 Key part X 2 = 11101111 The key K = 10110101

6 n of n protocol The 2 of 2 protocol can be generalised to an n of n protocol. n key pieces X 1, X 2,……,X n are created and all are need to recover the original key. The first n-1 key pieces are chosen at random. The final key piece is computed by XORing the key K with X 1, X 2, …, X n X n = K X 1 X 2 …… X n-1 The key K is recovered by XORing all of the key pieces together

7 Example (4 of 4 protocol) Generation of Key Parts K = 10100110 X 1 = 11010101 X 2 = 00110100 X 3 = 00110011 X 4 = 01110100 Recovery of the Key X 1 = 11010101 X 2 = 00110100 X 3 = 00110011 X 4 = 01110100 K = 10100110

8 2 of 3 protocol Three key pieces are generated. Any two of the three pieces are needed to recover the original key. This time, think of the key K as a decimal number. We need a parameter p which is a prime greater than K. The value of p does not need to be secret.

9 2 of 3 protocol 1.Alice, the holder of the key K generates a random number a and 3 further random numbers x 1, x 2 and x 3 all different and all between 0 and p. 2.Alice computes k i = (a*x i +K) mod p for i=1,2,3. 3.Alice keeps the value a secret, and gives each of the 3 key holders a pair (x i, k i ).

10 Example (2 of 3 protocol) Generation of Key Parts K = 11, p = 19 a = 14, x 1 = 3, x 2 = 17, x 3 = 10 k 1 = (14*3 + 11) mod 19 = 53 mod 19 = 15 k 2 = (14*17 + 11) mod 19 = 249 mod 19 = 2 k 1 = (14*10 + 11) mod 19 = 151 mod 19 = 18 X 1 = {3,15} X 2 = {17,2} X 3 = {10,18}

11 Recovering K Each key holder has a pair (x i, k i ) and knows that k i = (a*x i + K) mod p, but without knowledge of a, this equation cannot be solved. There are p possible values for a and hence p possible values for K. However, if two key holders get together, they can form 2 equations in 2 unknowns which can be solved simultaneously for K.

12 Suppose the first two key holders share their information. Then they know: k 1 = (a*x 1 + K) mod p(1) k 2 = (a*x 2 + K) mod p (2) Multiplying the first equation by x 2 and the second equation by x 1 gives 2 more equations: (x 2 *k 1 ) = (a*x 1 *x 2 ) + (x 2 * K) mod p (3) (x 1 *k 1 ) = (a*x 1 *x 2 ) + (x 1 * K) mod p (4)

13 Now subtracting equation (4) from equation (3) gives (x 2 *k 1 ) = (a*x 1 *x 2 ) + (x 2 * K) mod p (3) (x 1 *k 1 ) = (a*x 1 *x 2 ) + (x 1 * K) mod p (4) (x 2 *k 1 - x 1 *k 1 ) = (x 2 * K) - (x 1 * K) mod p Or K = (x 2 *k 1 - x 1 *k 1 ) * (x 2 – x 1 ) -1 mod p

14 Example (2 of 3 protocol) Recovery of the Key Suppose key holders 1 and 2 decide to share their information so we know X 1 = {3,15} and X 2 = {17,2} We have the equations: 15 = 3a +K mod 19 (1) *17 2 = 17a+K mod 19 (2) * 3 (15*17) = (3*17*a) + 17K mod 19 (2*3) = (3*17*a) +3K mod 19 (15*17)-(2*3) = (17K-3K) mod 19 249 = 14K mod 19 The inverse of 14 mod 19 = 15 Therefore K = (249 * 15) mod 19 = (2*15) mod 19 = 30 mod 19 = 11

15 2 of n protocol The 2 of 3 protocol can be generalised to provide a 2 of n protocol. The key holders generates as many key pairs (k i, x i ) as necessary using the same method as for the 2 of 3 protocol. Any two key holders can retrieve the original key.

16 t of n protocol A similar protocol can be used for any values of t and n where 1< t < n. Alice needs to choose (t-1) random values a 1,a 2, …..,a t-1 and she generates key pairs such that each key holder has an equation in t unknowns (the values of a i and the value of K). Thus t key holders have to get together to form a set of t simultaneous equations which can be solved to find K.

Download ppt "1 Key Escrow - like leaving your key with a neighbour in case of an emergency."

Similar presentations