MEO is a project to define a file format and to provide tools to use cryptography for things like four-eyes principles.

The key idea is this: If information should only be accessible to a group of people together, possibly with the additional possibility to have some redundancy in participants, then MEO is for you.

You can download the software from this site. You may also watch a short presentation about the tool and see it in action on youtube.

Here are some examples for scenarios where this might be interesting:

Example 1:

Your organization wants to keep a list of hyper-important information (password, SSL certificates) in a safe location. Usually this is done by printing out the information, putting the paper into an envelope and putting that in a safe with a strict policy by whom and when that envelope may be opened. But still: if the safe is breached or the policy gets ignored the information might fall into the wrong hands. What to do: you put that information into a MEO file, put that onto a CD-ROM and put that into the safe. You can copy the CD to store it in multiple places, if you want. Also use different storage technologies to be sure. The MEO file can be set up so that only eg. 3 out of 4 trusted employees together can access the information.

Example 2:

You as a person have some very sensitive information to keep from falling into the wrong hands (eg. bank account details, insurance information). You want to entrust that information to somebody in case something terrible happens to you (eg. an accident), but you do not quite trust that person alone. What you want is to have some security net that this person cannot access the information alone and run off with it. You would rather require to have somebody else you trust being around in case the information has to be accessed. But what if one of them dies in an accident? Bring in person number three and require that, for the information to be accessed, any two of the three have to be around for the information to be accessed. MEO can do just that: You can distribute a copy of a MEO file to all three and in order for the information to be accessed two of them must come together and are only then able to decrypt the information.

MEO files can currently be set up for a group of up to 16 people (called “Attendees”, to coin a new term, let  N be the number of such attendees) with the requirement to have 1 <= M <= N of them around in order to decrypt the information. The special case M=1 means that any one of the attendees can access the information on his/her own. Useful numbers for N with higher numbers of M seem to be up to 6 with M being something like N-1 or N-2.

MEO is a clever application of widely used and publically  known encryption algorithms. They are used by millions every day, so there is nothing fundamentally new in there that is not in use when using eg. SSL secured websites. The software uses a fully open-source stack of software, including the cryptography part of OpenSSL and the pkcs11-helper library to access hardware crypto tokens.

There is a paper detailing the theory behind it and you can download source code and a Windows installer containing the software. As of now, the software is rather new and should be tested extensively before being used for serious applications, but the goal is to provide a production ready version as soon as possible. Having said this: The software is fairly stable as is.

You may find some answers to possible questions on the FAQ page.

 

 

Leave a Reply