tags:

views:

278

answers:

5
+6  Q: 

How to encrypt something so that can be decrypted using any two of three keys?

So say I want to encrypt a file and the only way I want it to be read is if two different people enter their keys. So, for instance there are four keys:

key1, key2, key3, key4.

If I encrypt it with key1 then the following combinations will decypt it:

  • key2,key3
  • key3,key4
  • key2,key4

Is this possible using a standard method?

A: 

make the fourth key the bitwise checksum of the other three... You could even sequentially increment which key had the checksum value.. so that

  1. key 4 bit 1 was a checksum of bit 1 in keys 1-3, and
  2. key 1 bit 2 was a checksum of bit 2 in keys 2-4, and
  3. key 2 bit 3 was a checksum of bit 3 in keys 1,3,4, and
  4. key 3 bit 4 was a checksum of bit 4 in keys 1,2,4, and
  5. key 4 bit 5 was a checksum of bit 5 in keys 1,2,3, etc. ...

kinda like striped raid 5 does...

This way, no matter which three of the four keys you had, you could recreate the missing one. use some combination of all four keys to encrypt the message.

Charles Bretana  2009-11-12 01:55:19
+2  A: 

Say you're assigning keys x1, x2, .. xN

Encrypt the file with a master symmetric key M. Then store several encrypted copies of M:

  • Encrypted with x1 and x2
  • Encrypted with x2 and x3
  • Encrypted with x1 and x3
  • ...

Any two keys will unlock one of the encrypted copies of the master, which will decrypt the file.

280Z28  2009-11-12 02:04:19
This presumes each encryptor has all keys. You need to add public key crypto.
Grumdrig  2009-11-12 02:08:05
What are you talking about, Grumdrig? I'm not sure I understand.
Zarel  2009-11-12 02:15:56
This explodes combinatorically for larger numbers of keys: you need n!/m!(n-m)! copies with such a simplistic scheme!
Jeffrey Hantin  2009-11-12 02:19:04
@Jeffrey, actually you need the (n-1)th triangle number: n*(n-1)/2
280Z28  2009-11-12 02:35:47
Sorry, I'm sick and my brain still isn't working right.
Jeffrey Hantin  2009-11-12 02:45:10
@Zarel, imagine there are 4 parties each of which want to be able to encrypt messages that any two of the others can read. To use the above scheme, each would have to have the others' keys so that they could encrypt each combo. Thus any one of them would have all the keys and be able to decrypt solo.
Grumdrig  2009-11-12 03:38:27
@Grumdrig: That's not the situation the OP asked about. One fixed person encrypts, two others decrypt.
280Z28  2009-11-12 04:01:57
+1  A: 

Not as you state it, I don't think. But you could get the same effect like this: Use public key crypto; now there are 4 public and 4 private keys. As person #1, encrypt your message with each pairwise combination of the other 3. E.g. encrypt the message with key 2, then encrypt that with key 3. Now encrypt the message with key 2, then encrypt that with key 4. Finally, 3 then 4. Now if any two of the others get together they can recover the original message.

Grumdrig  2009-11-12 02:06:34
+8  A: 

Generate a unique content key to encrypt the message (this is common to many message encryption standards), then apply an erasure code scheme such as Reed-Solomon coding against that content key concatenated with enough additional random data to ensure that any m of n "shards" of the key can be put together to create the final key. Shards are only given out from the random data portion so that none of the shards given out contain actual bits from the content key. This way, any number of collected shards short of m does not give any useful information about the key itself.

EDIT: Reed-Solomon to generate key shards appears to be identical to Shamir's secret-sharing, first published in 1979; thanks to @caf for pointing out the article.

Jeffrey Hantin  2009-11-12 02:09:32
There's a GPL-licensed implementation of Shamir's secret-sharing scheme as well: see http://point-at-infinity.org/ssss/
intgr  2009-11-14 17:10:26
+3  A: 

Generate a symmetric key key1 randomly and use it to encrypt the data, then generate key2, key3 and key4 from key1 using Shamir's Secret Sharing protocol.

To securely distribute key2, key3 and key4 you can then use a public key algorithm to encrypt them using the public keys of the recipients.

caf  2009-11-12 02:17:20

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords