Split keys

Faramir faramir.cl at gmail.com
Wed Apr 28 21:30:14 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mohan Radhakrishnan escribió:
> Hi,
>     We have come across tools like SSSS. Can I use these in Windows ? I am trying to split the public key. We are the encryptors. Does that make sense ?

  Well, there are tools implementing SSSS in Windows, but I think
different implementations are not compatible with each other. The only
open source implementation I have found is the one available at
http://point-at-infinity.org/ssss/

  I was told the souce code is simple enough to make an updated version
for windows, but I lack the skill needed to do it, and the person that
told me it won't do it unless the organization in which we are involved
require the tool. So maybe the easiest way would be to install ubuntu in
a machine (maybe a virtual machine), install SSSS from ubuntu's
repositories, and use it on that platform.

  I think people would find SSSS a lot more reliable if GnuPG includes
(and maintain it) as a complement of GnuPG, that way we would know it
will be available as long as GnuPG is available, but I understand they
can't implement each and every tool somebody thinks desirable to have.

  Now, about splitting the public key, it doesn't make sense to me,
since the public key is, by definition, public, you don't need to keep
it secret or safe. What you MUST keep secret and safe is the private key.

  I took a look at PCI DSS v1.2.1, and found:

3.6.6 Split knowledge and
establishment of dual control of
cryptographic keys.

3.6.6 Verify that key-management procedures are
implemented to require split knowledge and dual control of
keys (for example, requiring two or three people, each
knowing only their own part of the key, to reconstruct the
whole key).

IMHO, it refers to the secret part of the key, not to the public part.

  When you say you are the encryptor, I suppose you mean you are the
party sending the information, which, at first sight, don't require to
handle private keys, unless you are also signing the message.

> Looks like according to PCI, GPG is not compliant because there is no mechanism to split keys using GPG. Is there a way ?

  If I understood it right, yes, GPG is not compliant because it doesn't
include an "out of the box" tool to archive that. But maybe we can be
creative and find a way to solve the problem.

  Private keys can be protected by a passphrase, and if the passphrase
is strong enough, _maybe_ the key will be protected with an encryption
stronger than the key itself. With that in mind, why don't we split the
passphrase, instead of splitting the key? That workaround looks fine _to
me_, but I'm not an expert, and I'm not an auditor of PCI DSS
compliance, so I don't really know if it would be a good solution.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJL2IzFAAoJEMV4f6PvczxABpIH/277OWwrwqC5uqTMfdepCpOl
xbn/dNFghWFrwnJ4cMhv049sB3RMmmmaONFeGDDs0SUarC6S5lUCG4jr7lpg2p0F
0zxg7E5ddDhs1MNxSkAZVnXm1pLIl4Y3vYskyEh0W7b4iShLXC700clSk7m4fnWY
EzKCzTvOhfvatMHsifNNAyeCPEaqsbKPOxSq/sVqa/173NMz7xb9coPyca2CQeKT
va6Uf+AFvxgy+W60ymWKKzzKi15DkmAQNgtmbQOkBF9xvEZPsNtKepqfjX6CNRn2
Eo7+kHUBusL8zb/XtYfwVYckFKk7ApY58QpTLilTdEi06gwMSpg/pxGggG3KIWw=
=JhoP
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list