Double Encryption Key Splitting System Study Guide
I. Short Answer Questions
What is double encryption? What is the significance of double encryption in a key splitting system?
Double encryption refers to encrypting data twice, usually using two different encryption algorithms or keys. In a key splitting system, double encryption can improve security. Even if an attacker obtains part of the encryption key or key shard, the final data cannot be decrypted because another key or key shard is required to complete the decryption.
What is Shamir Key Sharing? How does it apply to key splitting?
Shamir Key Sharing is an algorithm that splits a key into multiple shards, and only when a sufficient number of shards are collected can the original key be reconstructed. It uses the principle of polynomial interpolation to hide the key in a polynomial and generate multiple shards as points on the polynomial. Only when a sufficient number of points are obtained can the polynomial be reconstructed and the key obtained.
Please explain the difference between "secret", "secret shard", "single encrypted secret shard" and "double encrypted secret shard".
Secret: refers to critical information that needs to be protected, such as the key used to encrypt data.
Secret Shard: refers to the multiple shards after the "secret" is split using a key splitting algorithm (such as Shamir key sharing), each shard contains part of the secret information.
Single Encrypted Secret Shard: refers to the result of encrypting the "secret shard" once, usually using a symmetric encryption algorithm and key.
Double Encrypted Secret Shard: refers to the result of encrypting the "single encrypted secret shard" again, usually using an asymmetric encryption algorithm, such as using the public key corresponding to each shard holder for encryption.
What is an asset encryption key? How does it relate to an asset key?
Asset encryption key: A symmetric key used to encrypt and decrypt asset keys.
Asset key: refers to important keys that need to be protected, such as private keys used to sign transactions, or encryption keys used to decrypt high-value data.
What encryption methods are used in the system? Please explain their functions respectively.
The system uses two methods: symmetric encryption and asymmetric encryption:
Symmetric encryption: Encryption and decryption using the same key, such as using the AES algorithm to encrypt the secret shard.
Asymmetric encryption: Use public key to encrypt and private key to decrypt, for example, use the public key of the shard holder to re-encrypt the single encrypted secret shard.
What is key rotation? Why do we need to rotate keys?
Key rotation refers to the regular replacement of keys to reduce the risk of key leakage. Regular replacement of keys can effectively shorten the validity period of keys. Even if the keys are leaked at a certain point in time, attackers cannot access the subsequent data.
How is QR code used in the system?
The system uses QR codes to store and transmit encrypted secret shards, for example, generate QR codes from double encrypted secret shards and distribute them to the corresponding shard holders.
What is an offline signing service? What role does it play in the system?
An offline signing service refers to a key management service that is not connected to the Internet and is used to securely store and use keys. In the system, the offline signing service is used to generate and store asset encryption keys and use keys to sign transactions.
How does the system ensure that only authorized users can reconstruct secrets?
The system ensures that only authorized users can reconstruct secrets by setting a threshold for key shards. For example, if a secret is split into 10 shards and the threshold is set to 5, the secret can only be reconstructed after at least 5 shards are collected.
In addition to protecting keys, what other types of secret information can this system be used to protect?
In addition to protecting keys, this system can be used to protect other types of secret information, such as passwords, account/routing numbers, etc. This information can be split into multiple shards, then encrypted using a symmetric key and distributed to multiple shard holders using asymmetric encryption.
III. Glossary
Term Definitions Double encryption Encrypting data twice, usually using two different encryption algorithms or keys. Shamir key sharing An algorithm that splits a key into multiple shards, so that the original key can only be reconstructed after a sufficient number of shards are collected. A secret is critical information that needs to be protected, such as a key used to encrypt data. A secret shard is a multiple shard of a "secret" that is split using a key splitting algorithm (such as Shamir key sharing), each of which contains part of the secret information. A single encrypted secret shard is the result of encrypting a "secret shard" once, usually using a symmetric encryption algorithm and key. A double encrypted secret shard is the result of re-encrypting a single encrypted secret shard, usually using an asymmetric encryption algorithm, such as using the public key corresponding to each shard holder for encryption. An asset encryption key is a symmetric key used to encrypt and decrypt asset keys. An asset key is an important key that needs to be protected, such as a private key used to sign a transaction, or an encryption key used to decrypt high-value data. Key rotation refers to the periodic replacement of keys to reduce the risk of key leakage. An offline signing service is a key management service that is not connected to the Internet and is used to securely store and use keys.