RSA splits passwords in two to foil hacker attacks
There are a few more technical details at
http://productsecurityblog.emc.com/2012/10/split-value-crypt...
The basic system decribed doesn't appear use hashes, just xor operations. Of course, it may layer this system on top of other security measures like salted hashes and so forth.
As described above, two servers are used (Red and Blue). Given a password p, the Red server stores a random number R, while Blue stores (p xor R).
To verify whether a given password s is correct, a client first generates another random number r. It sends r to Red, and (s xor r) to Blue.
Red computes (r xor R), while Blue computes (p xor R) xor (s xor r), and the results are compared. The results are identical if and only if p == s, ie. when the passwords match.
Neither the query operations nor the data stored reveal the password to either Red or Blue in isolation; data in both servers must be combined to recover a password. The assumption is that this reduces the risk by forcing an attacker to hack both servers rather than just one.
To further mitigate attacks, the entries in both Red and Blue are periodically xor'ed with another random sequence R_t.
In other words, the entry for a user in Red changes over time as
R
(R xor R_1)
(R xor R_1 xor R_2)
...
while Blue stores
(p xor R)
(p xor R xor R_1)
(p xor R xor R_1 xor R_2)
and so on
Now the attacker must obtain both databases within the same window to recover the password.
Video at http://blogs.rsa.com/idp-beat/announcing-rsa-distributed-cre...
Any suggestions of what might be worth $150,000 in all of this?
At a basic end, this seems to be similar to storing every other character of a suitable hash on two nodes (preferably running heterogeneous architectures). RSA's ability to 're-randomise' suggests the ability for the two machines to be able produce a plaintext version of the password, which obviously seems particularly dangerous, especially if somebody is sloppy and backs up both nodes to the same location.
Is there any distributed encryption algorithm that could be done that would allow straightforward credential verification as well as the ability to re-salt a hash securely without knowing the plaintext?