

Red October: CloudFlare’s Open Source Implementation of the Two-Man Rule - jgrahamc
http://blog.cloudflare.com/red-october-cloudflares-open-source-implementation-of-the-two-man-rule

======
AaronFriel
I'm curious about their decision to eschew "complicated secret primitives":

> Red October is based on combinatorial techniques and trusted cryptographic
> primitives. We investigated using complicated secret primitives like
> Shamir's sharing scheme, but we found that a simpler combinatorial approach
> based on primitives from Go's standard library was preferable to
> implementing a mathematical algorithm from scratch. Red October uses 128-bit
> AES, 2048-bit RSA and scrypt as its cryptographic primitives.

While it's usually preferable to rely on well-tested cryptographic code, I
wonder if this scheme is weaker because of the matroyshka doll approach taken
with encryption. My personal concerns are mitigated by the fact that the
secret-managing server could be made physically secure, but I'm concerned that
their approach allows incremental progress to be made in decrypting secrets.

For example, if users A_1,A_2...A_N all provide passwords, of which any 3 can
decrypt a package, then there will be N * N-1 * N-2 / 6 copies of the secret
on the server. (In general: N choose K, where N is the number of parties to
the secret and K is the number required to decrypt.) For the previous example,
20 users and 3 needed to decrypt, 1140 ciphertexts will be generated. The
worst case scenario is when K approaches N/2, 20 users with any 10 able to
decrypt would produce close to 184,756 ciphertexts.

My problems, from a naive non-cryptographer's view, are:

1\. That's a lot of data, and cryptographers tend to loathe giving attacks
more data.

2\. I'm wondering if there's any approaches to cracking these secrets that can
take advantage of the fact that the same plaintext secret is going to be
available as a very large number of ciphertexts. It seems that a meet-in-the-
middle attack might substantially reduce the security guarantees here.

Could any cryptographers chime in? Is Red October a good model for securing
secrets?

