file encryption into N files, but with at least and only M required to decrypt?_问答_开发者

file encryption into N files, but with at least and only M required to decrypt?

开发者 https://www.devze.com 2023-03-09 09:12 出处：网络

I think this technique may have a name, but I can\'t remember it to google it. What methods are there to encrypt a file (or password, etc.) into N files, of which any M (less than N) can be used to r

I think this technique may have a name, but I can't remember it to google it.

What methods are there to encrypt a file (or password, etc.) into N files, of which any M (less than N) can be used to recover the complete original file, but any less than M are completely useless (say on an order equivalent to cracking 1024-bit AES).

e.g. I encrypt all the company's passwords into N files, giving N company executive each 1 file. Any N-M executives can die with m开发者_StackOverflow社区e in a fiery plane crash, and the remaining M can still recover all the passwords necessary to continue the business. But M-1 executives can't go rogue and secretly sell all the company's secret data to the competition.

The class of algorithm you're after is called a Secret Sharing Scheme, and the most widely implemented example is Shamir's Secret Sharing Scheme.

Generally, what is done is to generate a random key for a symmetric cipher, like AES; encrypt the plaintext with that random key; then split the random key into N shares using the secret sharing scheme. The ciphertext then does not have to be kept secret; only the key shares.

Splitting the encrypted data isn't something I've heard about before, but sharing key data using a Secret Sharing scheme could be what you're after.

the solution for this is simple:

all data is symetrically encrypted and stored in a common place (with backups for fiery plane crashes in datacenters) and the symetric key is then encrypted and stored multiple times ... you could use some diffie hellman group keys to encrypt the key for X different groups where X is the binomial coefficient N over T where N is the number of (n)eeded shareholders and T is the (t)otal number of shareholders (or if you don't want group keys, order the public keys of each groups shareholders in a recoverable manner, and go through a chain of encryptions)

store the encrypted keys together with the data,, destroy the original symetric key and hand out the private keys to all shareholders

(of course it would be more secure to have each shareholder generate his/her own keypair, and eventually go through the group exchange protocol to generate the group key, but those guys in the suits usually don't understand things like this ... ;-)