

RSA splits passwords in two to foil hacker attacks - dan1234
http://www.bbc.co.uk/news/technology-19896353

======
kbs
There are a few more technical details at

[http://productsecurityblog.emc.com/2012/10/split-value-
crypt...](http://productsecurityblog.emc.com/2012/10/split-value-
cryptographic-authentication-building-advanced-threat-resistant-software/)

The basic system decribed doesn't appear use hashes, just xor operations. Of
course, it may layer this system on top of other security measures like salted
hashes and so forth.

As described above, two servers are used (Red and Blue). Given a password p,
the Red server stores a random number R, while Blue stores (p xor R).

To verify whether a given password s is correct, a client first generates
another random number r. It sends r to Red, and (s xor r) to Blue.

Red computes (r xor R), while Blue computes (p xor R) xor (s xor r), and the
results are compared. The results are identical if and only if p == s, ie.
when the passwords match.

Neither the query operations nor the data stored reveal the password to either
Red or Blue in isolation; data in both servers must be combined to recover a
password. The assumption is that this reduces the risk by forcing an attacker
to hack both servers rather than just one.

To further mitigate attacks, the entries in both Red and Blue are periodically
xor'ed with another random sequence R_t.

In other words, the entry for a user in Red changes over time as

R

(R xor R_1)

(R xor R_1 xor R_2)

...

while Blue stores

(p xor R)

(p xor R xor R_1)

(p xor R xor R_1 xor R_2)

and so on

Now the attacker must obtain both databases within the same window to recover
the password.

------
jermy
Video at [http://blogs.rsa.com/idp-beat/announcing-rsa-distributed-
cre...](http://blogs.rsa.com/idp-beat/announcing-rsa-distributed-credential-
protection/)

Any suggestions of what might be worth $150,000 in all of this?

At a basic end, this seems to be similar to storing every other character of a
suitable hash on two nodes (preferably running heterogeneous architectures).
RSA's ability to 're-randomise' suggests the ability for the two machines to
be able produce a plaintext version of the password, which obviously seems
particularly dangerous, especially if somebody is sloppy and backs up both
nodes to the same location.

Is there any distributed encryption algorithm that could be done that would
allow straightforward credential verification as well as the ability to re-
salt a hash securely without knowing the plaintext?

