Building Intrusion Tolerant Applications


Intrusion Tolerance via Threshold Cryptography (ITTC)


Stanford University

Research supported by DARPA.


Project Staff Download
Description Publications
Technical Summary         

Project Staff


The ITTC project (Intrusion Tolerance via Threshold Cryptography) provides tools and an infrastructure for building intrusion tolerant applications. Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the compromise of a few system components does not compromise sensitive security information. To do so we protect cryptographic keys by distributing them across a few servers. The keys are never reconstructed at a single location. Our designs are intended to simplify the integration of ITTC into existing applications. We give examples of embedding ITTC into the Apache web server and into a Certification Authority (CA). Performance measurements on both the modified web server and the modified CA show that the architecture works and performs well.

Schematic of ITTC system



The ITTC distribution page contains instructions on how to download an install the ITTC system.  Limited support is available.  Please send mail to

Technical Summary

The ITTC project develops software and tools that enable long term keying information to be shared among several servers so that it is never reconstructed at a single location. This sharing ensures that if a small number of servers are penetrated and the information on them exposed, no sensitive information is leaked. Since the keying material is never reconstructed at a single site the system achieves a degree of intrusion tolerance.

Threshold Cryptography enables a private RSA key to be shared among k servers such that any  k-1  or  k-2  of them can decrypt incoming messages without reconstructing the key. For our purposes typically k=3, 4 or 5. Note that since  k-1  out of  servers suffice for normal operation the system provides some fault tolerance.

Several issues must be resolved in order to make the above approach applicable. An immediate concern is who generates the shared keys? Typically a Trusted Dealer generates a key and then sends the appropriate shares to the k servers. A trusted dealer is a single point of failure of the system and violates our main design principal. We eliminate the trusted dealer by implementing an efficient multi-party computation that enables the k servers to generate a private RSA key that is shared among them from the moment of creation.

Our claim that sharing a private RSA key provides intrusion tolerance relies on the assumption that breaking into two servers is harder than breaking into one. To justify this assumption we rely on two complementary approaches: diversity and proactive updates. Diversity is achieved by running a different version of our software on each of the servers. Consequently an attacker has to devise different penetration mechanisms for each server. Proactive update implies that once every time period (say once an hour) the servers compute a new sharing of the same RSA key. Consequently, not only does the attacker have to penetrate multiple servers, she has to do so within a single time period.

To demonstrate the effectiveness of our techniques we apply them in several scenarios. The first is an intrusion tolerant web server. Our techniques are used to protect the server's private key. The private key is used during session-key negotiation. The second prototype is an Intrusion Tolerant Certification Authority in which threshold RSA is used to share the authority's private key among several machines. The ITTC system enables the authority to generate certificates without reconstructing its private key at a single site. 

Last modified 08/21/99 dabo