Recovering from disaster

Because the worst can happen

Cryptography can be a double edged sword. The factr that other people are unable to read your confidential data isn't much good if you can't read it either.

Accidents happen, equipment fails, disaster strikes. Use of strong encryption to protect valuable date requires careful consideration of every eventuality. There are circumstances in which losing data is preferable to the possibility of disclosure but such circumstances are the exception, not the rule.

According to the UN High Commission for Refugees, over 65 million people are currently forcibly displaced. Many of these people have lost their homes, their possessions and their livelihoods. For these people, their digital assets may represent the only possessions they have left.

Of wider concern is the need to support data survivability. Everyone dies eventually and the ability to access their digital access may die with them without careful planning and preparation. While most people have at least some assets that they do not wish to be accessible to others after they die (e.g. Terry Pratchett's unfinished work), most people have at least some assets that they do wish their heirs to inherit. This situation is often sumarized as wanting the family to know where you buried Aunt Agatha's jewelry but not where you buried Aunt Agatha.

If we are serious about use of strong cryptography to protect stored data, the risk of losing access to the data must be considered to be at least as important as the risk of disclosure. For this reason, the Mathematical Mesh provides support for voluntary personal key escrow.

The Mathematical Mesh does not provide support for mandatory key escrow or any form of 'backdoor' access. In particular, while Mesh users can escrow their keys and verify their ability to recover the data to themselves, the Mesh protocols do not support any means of demonstrating the recovery capability to any other party short of direct disclosure of the key.

Key recovery modes.

The Mathematical Mesh supports two distinct levels of key recovery.

Disaster Recovery is used to recover keys in the event of a total loss such as a house burning down or becoming a refugee. Disaster recovery restores the master signature and master escrow keys created when a Mesh profile is created.

Application Recovery is used to recover keys in the case of more routine mishaps such as the loss or failure of a device containing encrypted data. Application recovery uses the master escrow key to recover an application escrow key used to escrow encryption keys for a particular application.

The two mechanisms are linked in that restoring application data after a disaster requires application recovery to be performed after the disaster recovery has been completed.

This approach permits a user to escrow an application key under a different master escrow key to the one specified in their personal profile or to suppress escrow of the application key entirely. This feature is not currently supported by the meshman tool but is supported by the Mesh Reference library.

Key escrow risks.

The ability to recover a cryptographic key inevitably entails additional risks of disclosure or unavailability.

            To mitigate these risks, the Mesh key escrow and recovery mechanism uses a key splitting scheme based on Shamir's secret sharing algorithm and AES-256. The user may create up to 15 key shares and set the recovery quorum to be any number greater than 1 up to the total number of shares. The use of symmetric key cryptography minimizes vulnerability to attack using Quantum Cryptanalysis. The risk of hardware failure is eliminated by use of written key share values.

            Disaster Escrow Mechanism

            The Key Escrow mechanism is based on two symmetric keys, the master key from which the key recovery shares are derrived and an encryption key that is derrived from the master key that is used to encrypt the data to be escrowed.

            The chief advantage of this division is that it permits the symmetric key and the encryption key to be of different lengths. This allows the size of the encryption key to be independent of the master secret size.

            Key shares are derrived from the Master secret using Shamir's Secret Sharing. This divides the secret into n shares, m of which are required to recover the secret.

            The HKDF Key derrivation function is used to derive the encryption key from the master secret. This key is used to encrypt the Key Recovery Data using AES-256. The Key escrow record containing the encrypted key recovery data is indexed under the UDF fingerprint of the encryption key. This ensures that a party that has the necessary key shares can find the corresponding key recovery record.

            Preparing for Recovery

            The meshman tool supports creation of a key recovery record using the Personal Escrow command. The user specifies the personal profile to create a recovery record for, the number of shares to create and the quorum.

            meshman personal escrow /shares=3 /quorum=2
            
            Created offline escrow entry Shares=3, quorum=2
            Written to portal
            Created offline escrow entry Shares=3, quorum=2
            Written to portal
            EDFXA-GIKJJ-UP7WK-ABYZ4-AG6JM-X5QA
            EFW6I-TLFH5-JSTLK-HWVDW-XWCR2-CPQC
            EIUFR-AWAGQ-7FHAC-OLROB-NFO2H-JCA
            

            The tool reports the successful creation and publication of the key recovery record and returns a list of the key recovery shares. These should be written down or printed out in case of future need.

            Protecting your key shares

            The security of the user's personal data depends on the secrecy of the recovery shares. It is therefore essential that the user take appropriate steps to secure them. These may include:

            • Giving a share to a friend for safe keeping
            • Storing a share in a safe
            • Hiding a share in an unexpected place

            In each case, it is for the user to decide the necessary balance of convenience, risk or disclosure and risk of unavailability.

            Purging a device

            Deleting master keys from a device eliminates the risk of disclosure should the device be lost or stolen. The meshman purge command verifies the existence of a key recovery record for the keys and deletes the local copies from the machine if successful.

            personal purge EDFXA-GIKJJ-UP7WK-ABYZ4-AG6JM-X5QA EFW6I-TLFH5-JSTLK-HWVDW-XWCR2-CPQC
            

            A user can also delete keys from a device without verifying the key recovery record.

            personal purge /force
            

            Disaster Recovery

            Using the meshman tool for disaster recovery is the reverse of the escrow process. The user specifies the portal account to which the profile is to be bound and the key shares to be used for recovery

            personal alice@example.com recover EDFXA-GIKJJ-UP7WK-ABYZ4-AG6JM-X5QA EFW6I-TLFH5-JSTLK-HWVDW-XWCR2-CPQC
            

            The tool reports the success or failure of the operation and summarises the recovered personal profile.

            Application Recovery

            Recovery of application keys is performed transparently when a device is connected to a profile. The only requirement being that the necessary master escrow key must be available on the administration device used to accept the connection.