RSA Splits Keys to Lock Up Data

By Cameron Sturdevant  |  Posted 2003-04-28 Print this article Print

New technology re-engineers old concept.

RSA Security Inc.s Nightingale technology, announced at the RSA Conference earlier this month in San Francisco, uses an old concept with new engineering to protect sensitive data.

eWEEK Labs believes that the work represents a real step forward for data security and that IT managers should put Nightingale on their list of technologies to watch as they scan the horizon for compelling data security products.

The Nightingale process, which was developed at RSA Laboratories, the research arm of RSA, provides a way for two servers or other computing devices to use two parts of a shared secret—a cryptographic key—without revealing the value of the key itself. The key is then employed to decrypt the requested data.

It almost goes without saying that one important difference between secret splitting and using two secrets to encrypt and decrypt data is that the data encryption process happens only once when using a split secret. This means that the computationally intense process of scrambling private data occurs only once.

However, because parts of the cryptographic key are stored in two places, a hacker will likely be slowed enough to alert the IT system manager to take further protective action.

RSA officials used an example based on Social Security numbers to illustrate the technologys operation and potential.

The Nightingale server generates a random secret and adds it to a Social Security number. Half the secret is then stored—likely on the application server that also stores the encrypted data. The other half of the key is stored on the Nightingale server. For the data to be decrypted, both halves of the cryptographic key must be correctly combined and applied to the encrypted data. Without both halves, data remains scrambled.

Nightingale Key Splitting

  • Data is encrypted with key
  • Key is "split"—half is stored on a Nightingale server, the other half is stored in a different location
  • Nightingale technology facilitates server-to-server authentication to recombine the key and decrypt the data
  • Nightingale eventually will be commercialized as a software product that companies will install on their hardware. The hardware likely will be separate from the application server and further protected behind an additional firewall.

    Nightingale also will be used in RSA ClearTrust, a policy-based Web access management suite, and in other products in the companys stable of authentication and identity management tools, RSA officials said.

    Because RSA is actively looking at ways to license the Nightingale work to other data management companies, IT managers should invest serious thought in how the technology might work to protect essential company data. For example, the Nightingale key-splitting process might be used in mobile computing settings, according to Burt Kaliski, chief scientist and director of RSA Laboratories.

    "Many mobile applications require provisioning a mobile device with business data. They also need to offer that data exclusively to the authorized mobile device," Kaliski said, during a meeting explaining the technology. "Instead of being stored in the network, the credential is split between the two places."

    IT managers will have to consider the amount of effort necessary to retrofit applications to authenticate and then obtain the split secret.

    Moreover, Nightingales underlying principles are not limited to two-part schemes. In his 1979 paper, "How to Share a Secret," crypto guru Adi Shamir (the "S" in "RSA") explained the manner in which a secret can be shared among any number of parties, in such a way that any minimum number from that group can efficiently reconstruct it.

    As applications become available that incorporate the technology, eWEEK Labs will examine them to see how much of a performance price must be paid to get the greater level of data security.

    Senior Analyst Cameron Sturdevant can be contacted at

    Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Thanks for your registration, follow us on our social networks to keep up-to-date
    Rocket Fuel