Closing the security gap
"This is secret-splitting for the masses," said Burt Kaliski, chief scientist at RSA Security. The developers' kit will be available in June, aimed at early adopters. It will be used alongside smartcard systems, so that users' passwords, and the personal life secrets they give to the company to retrieve their password, are not accessible if the server's data store is accessed by a hacker.
"The data store is a single place which, if compromised, defeats the whole system," said Kaliski. "With secret-splitting there is no single point of compromise."
Nightingale is just the start of secret-splitting in RSA's products. Shamir's original paper suggested splitting secrets to several stores, so that, for instance, three out of five of them could reconstruct the secret. Nightingale simplifies the process to two.
"So far, Nightingale is good for short secrets," said Kaliski. "It could be used for strong secrets such as a bank's signature key. There is a need now for weak secrets to be split effectively."
ZDNet White Papers
"E-commerce sites want to be sure that their customers' order information does not fall into the wrong hands," said Kaliski, suggesting that regulations and the risk of lawsuits will force vendors to increase their protection.
He said that a Nightingale brand might be created to identify sites where private data is split.