M of N Control

mkc7985

Hey guys, got another question. I am going to take my test this week. Was taking a practice exam from Sybex this weekend and came upon a question about M of N control. I have not heard of this before, and the only thing I have found so far was a website basically explaining it to be similiar to seperation of duties. I wanted to run this by you guys and see what ya'll had to say about it. ALSO... what is De facto?

TheShadow

It could be separation of duties but more than likely it has to do with access controls. M of N is often used in secure databases. The concept of the M of N activation capability provides protection of a secret by "splitting" it into "N" pieces, where any "M" of these pieces must be
reassembled to reconstruct the original secret. This might be used to allow a secret value to be shared by "n" external recipients without risking any compromise to the secret.

De Facto generally means a standard by consensus, that is no formal standards body declared it. For example Microsoft Word is the De Facto word processor used in the business world or Windows is the De Facto operating system shipped on new PC's.

Webmaster

mkc7985 wrote:

I have not heard of this before,

In that case I suggest going to www.comptia.com asap, download the exam objectives pdf for the Security+ exam, and check if there are other exam objectives you haven't heard about days before you take the exam

4.5 Understand and be able to explain the following concepts of Key Management and Certificate Lifecycles
o Centralized vs. Decentralized
o Storage
...
...
o Recovery
o M-of-N Control (Of M appropriate individuals, N must be present to authorize recovery)
...
..

TheShadow

Ahh Webmaster beat me to it. Now that beer 30 is over I realized that I was answering a CompTIA question notice the strange math in the statement i.e. (9 of 3 instead of 3 of 9). The secret is a key and it generally refers to Public Key Infrastructure. I have been buried in database tokens lately which has a similar tack. The technique is applied in many things and documentation often assumes that you have heard of it before.

Buy the way you will also find it mentioned in internet RFC3740 Multicast Group Security Architecture.

Danman32

I believe Enterprise self destruct sequence requires M of N control. You don't want just one person to have such control in case of incapacitation, cohortion, losing their mind, or becoming a traitor.
However, you don't want all officers to be required, in case one or more of them become incapacitated.

mkc7985

Here's what I have come to. M of N control..... could be most applicable towards key recovery when considering this concept for security+. If there are N(number of approved individuals) ... M(Minimum number of individuals) must be present to go forth with recovery. -SYBEX Security+ Fast Pass.... Author: James Micheal Stewart

mkc7985

And I have studied all about that objective over and over. Key management, recovery, decentralized vs. centralized.... and so on. I have studied many different resources at this point. CBT, Online forums, and two seperate books, and taken the test once already and have never heard of this concept until now. I have looked through all of my resources and this is the only place I have found it.

Philippatos

It's covered in the official courseware, available directly from CompTIA's website. Unit 14 (cryptography), page 20, administration of issued keys and certificates topic, key recovery sub-topic, to be exact:

"Many archive systems use the M of N Control to ensure no single administrator can abuse the key recovery process. This access-control mechanism creates a PIN number during the archive process and splits the number into two or more parts (N is the number of parts). Each part is given to a separate key-recovery agent (a person authorized to retrieve a user's private key). The recovery system can reconstruct the PIN number only if M number of agents provide their individual PIN numbers. For M of N Control to work, N must be greater than one and M must be less than or equal to N."