RSA: Split passwords make secrets safer

Breaking passwords in two and storing them in two places will make systems more secure, said RSA Security at its eponymous security show in San Francisco on Tuesday. The company also launched a framework for increased integration of its identity management products.

		News Focus Closing the security gap RSA Conference

RSA's Nightingale uses "secret-splitting", a cryptographic technique previously used in very high-end systems. A Nightingale server holds part of the password, which has been cryptographically split in two, according to a process invented by cryptographer Adi Shamir in the 1970s. The process has previously only been used in high-end bespoke systems for banking.

"This is secret-splitting for the masses," said Burt Kaliski, chief scientist at RSA Security. The developers' kit will be available in June, aimed at early adopters. It will be used alongside smartcard systems, so that users' passwords, and the personal life secrets they give to the company to retrieve their password, are not accessible if the server's data store is accessed by a hacker.

"The data store is a single place which, if compromised, defeats the whole system," said Kaliski. "With secret-splitting there is no single point of compromise."

Nightingale is just the start of secret-splitting in RSA's products. Shamir's original paper suggested splitting secrets to several stores, so that, for instance, three out of five of them could reconstruct the secret. Nightingale simplifies the process to two.

"So far, Nightingale is good for short secrets," said Kaliski. "It could be used for strong secrets such as a bank's signature key. There is a need now for weak secrets to be split effectively."

		Reader Resources Security index ZDNet White Papers

Nightingale has been engineered to make no changes to the user experience, but companies may want to advertise that they are using it as a way to keep their customers' sensitive data more secure, RSA said.

"E-commerce sites want to be sure that their customers' order information does not fall into the wrong hands," said Kaliski, suggesting that regulations and the risk of lawsuits will force vendors to increase their protection.

He said that a Nightingale brand might be created to identify sites where private data is split.