You want to share a secret within a group in a secure way? You want to make sure, that more than one person is needed to recover the secret so no one can do thing single-handed? You need e.g. four-eyes principle? Cryptography knows a shared secret as a piece of data, which is only known to parties involved. The data might a text, any number, a passphrase or just bits and bytes. The slides explain the requirements on how to share a secret, which approaches their are and is showing one solution using an algorithm called "Shamir's Secret Sharing". This cryptographic algorithm was created by Adi Shamir. The algorithm will divide the secret into parts, where each participant receives its own unique part. Most important is, that some of the parts or all of them are needed in order to reconstruct the secret. In cryptography Shamir's Secret Sharing is a so called threshold scheme. It means, that not all of the parts are needed, but a number of x parts are sufficient to recover the original secret. The PHP implementation of the algorithm can be found at https://github.com/teqneers/shamir. The slides are based on a blog called Data Genetics (http://datagenetics.com/blog/november22012/).

1. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Secret Sharing
Split Brains
1

2. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Password
‣Everything online or sensitive has a password
‣Usually known by single person
‣Person gone = password gone
‣Equivalent to a door's lock
2

3. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Multi people examples
‣NSA access to mobile devices
‣Four-eyes principle for admins
‣Joint bank account of a company
‣Lawyer needs six family member to open a will
‣Nuclear missile launch system
‣and many more
3

4. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Advances examples
‣Bank account: access by any 2 of 4 people
‣Nuclear missile: hierarchy of passwords
(president counts 3 votes, SoD counts 2, ...)
‣Will: family member die before you, don't want to
de-/encrypt will again and send out passwords
‣Will: new family member without redistributing
passwords to all again
‣Four-eyes principle: admins can do some
operation only with another admin
4

5. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Characteristic of multi PW solution
‣Exposure of 1 sub password doesn't expose any
more hints to attacker
‣All sub passwords required to obtain solution
‣Knowledge of all-but-one no better than knowing
none
‣Sub passwords have same magnitude in length
than master password
5

6. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Characteristic of multi PW solution
‣Generate new passwords, because one got
exposed, without re-issuing the others
‣Keep sub passwords despite additions/deletions
‣Generate new viable sub password without re-
issue
6

7. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Ideas?
7

8. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Password Carve-up
‣Discloses partial information
‣Reduces effort of brute-force attack
‣Not elegant
‣Need all pieces like a broken plate
8

9. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Random Offsets
‣Disclose a password doesn't help attacker
‣Magnitude of passwords is good
‣More elegant
‣Still need all pieces
9

10. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Exclusive Or (XOR)
‣Disclose a password doesn't help attacker
‣Magnitude of passwords is good
‣More elegant
‣Still need all pieces
10

11. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Shamir's Algorithm
‣Using a bit of math
‣Not too complicated
‣Matches all requirements
‣Doesn't need all sub-keys to decrypt
‣Threshold cryptosystem
11

12. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Back to school
‣Draw a graph
‣Transform password into coordinate (e.g. 25,20)
‣Now draw a line through this point
‣How would you do it?
12

13. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Some examples
‣Infinite possibilities
‣Correct way: you need 2 points
13

14. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Equation of straight line
‣Y = mX + C
‣M is gradient (slope) of line
‣C is intercept of y-axis
‣Our Secret S = C
14

15. TEQneers GmbH & Co. KG www.teqneers.de
Slide
More solutions
‣Any two point on the line describe the line and
determine the interception of y-axis (our S)
15

16. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Simplest solution
‣Any number of point we desire
‣Distribute hundreds of coordinates
‣Individually, each coordinate is useless, because
infinite number of solutions
‣Any two points together describe
solution
‣Awesome!
16

17. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Order-2
‣From linear to quadratic
‣Straight lines are order-1 polynomials
‣Quadratic equations are order-2
‣e.g. y = Ax
2
+ Bx + C
‣Unlimited solution with only 2 points
17

18. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Order-2 example
18
‣Any number of point we desire
‣Distribute hundreds of coordinates
‣Individually, each coordinate is useless, because
infinite number of solutions
‣Any three points together describe
solution
‣Awesome! Again!

19. TEQneers GmbH & Co. KG www.teqneers.de
Slide
x-order
19

20. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Advance feature support
‣Not a broken-plate type problem
‣No need of all passwords
‣Non-complete combination no value to attacker
‣Easy to generate new sub passwords, no need to
re-issue others
‣In case of compromised passwords: keep
uncompromised coords and generate new curve
‣President: just needs more coordinates than
others (e.g. 3) and SoD gets 2, others 1
20

21. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Demo
https://github.com/teqneers/shamir
21

22. TEQneers GmbH & Co. KG www.teqneers.de
Slide
Links
‣https://github.com/teqneers/shamir
‣http://en.wikipedia.org/wiki/Secret_sharing
‣http://en.wikipedia.org/wiki/Shamir
%27s_Secret_Sharing
‣http://www.cs.cornell.edu/Courses/
cs513/2000SP/SecretSharing.html
‣http://groups.csail.mit.edu/cis/crypto/classes/
6.857/papers/secret-shamir.pdf
22