Who inherits my passwords?
Sep. 17th, 2010 10:13 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
handsliveThis is a problem I've been thinking about a lot. I have a significant list of passwords, PINs, passphrases, and bits of profile information for the sites and applications they get used on. My partner (or at least my estate) should have access to the most up to date version of this information. It gets changed regularly and this means a safe deposit box isn't really the best choice. What I need is a kind of digital escrow service that I don't have to hand my keys over to.
Earlier this year, I read a bit about k-of-n secret sharing and even found a site on the Internet with code for generating shared secrets. The author has a demo of this as well. I've been thinking about ways that this could be used to make a digital sealed envelope available.
The first question is what would the secret be that gets shared among the participants. One possibility is to use a hex or base64 representation of a symmetric AES key. The key could be used to decrypt a file containing the information. A variation on this would be to use the private key from a public-private key pair. Distribute the public key and the shared secrets. Together they can be used to construct the key pair used by PGP or GPG to access an encrypted file or message. Most utilities for encrypting files, though, expect the keys to be protected in storage using a passphrase. PGP, WinZip, and all of the different password vault programs I've used support the use of a full sentence if you want. This secret phrase could be protected instead and a copy of the program and encrypted file provided. This last option is the easiest if you're looking for a way of doing this that doesn't require building special tools and lets people use whatever they're most comfortable with.
The next question is how you manage the generation, updating, and distribution of the shared secrets. I can think of three approaches off the top of my head. Most other approaches would be variations of these, I think. First, a central web site that allows the participants to track the different shared secrets they've been given (I'm assuming that, if I did this, I would also be doing the same for the other participants). Second, an application that can be run locally for storing secrets and potentially the encrypted file as well. Third, just developing a manual process for doing this and letting people use whatever file formats and a storage methods they want.
I'm an anal kind of guy, so here's my pros and cons for each approach.
Web site
Pros:
Desktop application
Pros:
Manual process
Pros:
Earlier this year, I read a bit about k-of-n secret sharing and even found a site on the Internet with code for generating shared secrets. The author has a demo of this as well. I've been thinking about ways that this could be used to make a digital sealed envelope available.
The first question is what would the secret be that gets shared among the participants. One possibility is to use a hex or base64 representation of a symmetric AES key. The key could be used to decrypt a file containing the information. A variation on this would be to use the private key from a public-private key pair. Distribute the public key and the shared secrets. Together they can be used to construct the key pair used by PGP or GPG to access an encrypted file or message. Most utilities for encrypting files, though, expect the keys to be protected in storage using a passphrase. PGP, WinZip, and all of the different password vault programs I've used support the use of a full sentence if you want. This secret phrase could be protected instead and a copy of the program and encrypted file provided. This last option is the easiest if you're looking for a way of doing this that doesn't require building special tools and lets people use whatever they're most comfortable with.
The next question is how you manage the generation, updating, and distribution of the shared secrets. I can think of three approaches off the top of my head. Most other approaches would be variations of these, I think. First, a central web site that allows the participants to track the different shared secrets they've been given (I'm assuming that, if I did this, I would also be doing the same for the other participants). Second, an application that can be run locally for storing secrets and potentially the encrypted file as well. Third, just developing a manual process for doing this and letting people use whatever file formats and a storage methods they want.
I'm an anal kind of guy, so here's my pros and cons for each approach.
Web site
Pros:
- generation and distribution could be contained to the application
- management of the secrets and updating would be centralized
- the web site would be a tempting target since it contains all the shared secrets
- encryption and key management for storage of the secrets is needed to minimize this threat
- site would need to be over HTTPS to ensure confidentiality (not horrible, but needs to be said)
- application needs to support proper segregation of duties and auditing of both user and administrator actions
Desktop application
Pros:
- distributes the risk of compromise, which is closer to the original intent of this kind of approach
- communicating the shared secrets to each user requires care and attention; you wouldn't want all the secrets to be in your sent-mail folder or something but you have to be sure each user gets an accurate copy of the secret that they can save away somewhere
- I'd want the application to be for multiple platforms because my circle of physically proximate friends may choose to run different platforms. I'm thinking Windows XP, Windows Vista/7, OS X, and some Linux variant. (Makes me lean towards Java as the language of choice because I'm lazy.)
- still probably need to think about encrypting the collection of shared secrets in storage, so there's some key management involved even so
Manual process
Pros:
- easy implementation, tailored to each participant
- if the implementation is unique to each participant, the level of security for the shared secrets will also be "unique" to each; not a huge minus, but not a plus either
- the process itself has to be simple to understand and follow for it to work given that some participants may be less technically inclined than others
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-09-17 04:48 pm (UTC)My mother did not have what I consider normal boundaries for a 21st century person. She once wanted to send me to the bank with her PIN, for example. And the night before we expected my father to die, she went to the bank and took all the money out of his (non-joint) account, because she knew his PIN too. We knew all her relevant passwords and answered her emails while she was ill. All of this was convenient at the time, but there is no way that I would do anything like that, without some better protection for me and for my digital executors.
no subject
Date: 2010-09-17 05:49 pm (UTC)Anyway, yes. Yes yes yes. Sooooo need this.
no subject
Date: 2010-09-17 06:20 pm (UTC)no subject
Date: 2010-09-17 07:40 pm (UTC)no subject
Date: 2010-09-17 09:12 pm (UTC)no subject
Date: 2010-09-17 09:58 pm (UTC)no subject
Date: 2010-09-17 11:26 pm (UTC)no subject
Date: 2010-09-17 06:22 pm (UTC)but it's something i think about. i'd say more, but gotta run very soon. neat post!
no subject
Date: 2010-09-17 11:19 pm (UTC)This is quite a different level of trust if I am actively involved and have handed over equivalent control to another person. I see those as vastly different trusts.
no subject
Date: 2010-09-17 11:36 pm (UTC)