The case for distributed data archival using secret splitting with Percival

Abstract

Most encryption used today obfuscates data behind a secret key or a problem believed to be computationally complex. One can fundamentally think of it as delayed release for a determined adversary. This approach is not well suited for long-term archival of sensitive data. Additionally, issues such as key rotation, and lost or exposed keys, make keeping such archives up to date very difficult. As a result most become static and unable to respond to attacks. Once hacked, such systems offer little to no protection for data privacy and leave open uncertainty about data integrity. Given the increasing frequency of major cyber events these days, it is clear that any secure long-term archive needs to be able to address maintaining data privacy and integrity throughout a compromise event. In spite of these needs, most data archives today still use central storage servers and encryption. In this paper we make the case for secure data archival based on secret splitting and distributed data repositories. We present Percival, one example of a research project focused on long-term data archival using Shamir's secret splitting and distributed data repositories. We examine how this approach can continue secure operations in the presence of adversarial compromise. We discuss how this distributed model significantly increases the attacker's burden by requiring the compromise of many sites. Additionally, this approach increases the resilience to insider threat and provides stronger assurances of data integrity and confidentiality. Finally we discuss current research to create new capabilities that enable blinded search across such an archive.