I’ve started with HSM2 and N-of-M Shamir’s Secret Sharing, but I’m concerned about Security in Nitrokey implementation.
sc-hsm-tool give output as follow:
— cut —
The DKEK will be enciphered using a randomly generated 64 bit password.
This password is split using a (N-of-N) threshold scheme).
— cut —
As far as I know, DKEK is AES 256 key. Why only 64 bit long password/secret is used to encrypt 256 long bit key? For me it is strange, because a chain is only as strong as its weakest link.
Am I wrong or in N-M threshold scheme in practice we have 64 bits security for DKEK? Old (developed almost 50 years ago), not good DES has effectively 56 bits.
In “standard” key backup and restore with DKEK scenerio with preselected number of key shares, each key shares is 256 bit long - right? (all key shares are XOR-ed to produce DKEK).
So comparing N of M threshold scheme to “standard” DKEK scenerio with preselected number =1 of key share, we need at least N=4 (==> M >=4) if we need comparable security level, because 4*64 bits = 256 bits. Am I right or wrong?
Comparing security of 1 of 2 threshold schema to “standard” DKEK is as 64 to 256 bits ==> 2^64 to 2^256: The difference is 2^192!
Why in N-M treshold schema implementation only 64 bits passwords/Share value are used? Due the hardware limitation in Shamir’s Secret Sharing implementation?