mrjoy / ssss Goto Github PK

View Code? Open in Web Editor NEW

84.0 10.0 24.0 99 KB

Fork of B. Poettering's SSSS (Shamir's Secret Sharing Scheme)

License: GNU General Public License v2.0

C 70.18% Makefile 3.03% HTML 22.70% Nix 4.09%

ssss's Introduction

SSSS

Shamir's Secret Sharing Scheme

Run using Nix

# ssss-split
nix run 'github:MrJoy/ssss#ssss-split'

# ssss-combine
nix run 'github:MrJoy/ssss#ssss-combine'

History

This is a fork of B. Poettering's SSSS ("Shamir's Secret Sharing Scheme").

Intent

This fork exists to simplify the build process a bit, and make minor changes to the tool that will facilitate its use in real-world usage scenarios.

What You Need To Know

Please read B. Poettering's page on SSSS before proceeding. SSSS, like all cryptographic algorithms, can lead to a false sense of security if improperly used. Be sure you understand the role it serves, and the limitations it has before employing it.

http://point-at-infinity.org/ssss/index.html

Version

This fork is based on ssss-0.5.tar.gz (SHA1: 3f8f5046c2c5c3a2cf1a93f0a9446681852b190e).

Verification and Installation (VERY IMPORTANT!)

Before installing, when cloning this repo, use a signed tag and verify the signature first!

# First, you need to make sure you have the signing key in your GPG keychain:
gpg --keyserver ipv4.pool.sks-keyservers.net --recv-key 7DCB12A7
# or, if using IPv6:
gpg --keyserver ipv6.pool.sks-keyservers.net --recv-key 7DCB12A7

# Now, clone the repo, and verify it:
git clone http://github.com/MrJoy/ssss.git
git tag -v releases/v0.5.7

# You should see output to the effect of:
#   gpg: Signature made <date and time> using RSA key ID 7DCB12A7
#   gpg: Good signature from "Jon Frisby <[email protected]>"
#
# If you do NOT see 'Good Signature from "Jon Frisby <[email protected]>" and
# the RSA key ID 7DCB12A7 then do not proceed with installation!
#
git checkout releases/v0.5.7 # This will put you in 'detached head' mode, which
                    # is fine but don't make changes as you are no longer on a
                    # branch!
# Proceed with build steps from here.  See `INSTALL.md` for details.

You can always find my GPG key signature at MrJoy.com.

License

This fork follows the same license as the original software: The GPLv2. See LICENSE for more information.

ssss's People

Contributors

Stargazers

Watchers

ssss's Issues

Use /dev/urandom as recommended (and for significant speedup)

It's recommended to use /dev/urandom on systems that have it (and at least on linux and *bsd)

See also this article:
http://www.2uo.de/myths-about-urandom/

Using /dev/urandom makes ssss-split significantly faster

Base58 encoding would yield shorter and more robust share strings

Presently, each share is printed as hexadecimal coded ASCII, which yields longer than necessary strings. Since shares are often copied by hand, it would make sense to use an encoding scheme which yielded shorter strings. This would be easier to copy down, and less prone to human error/typos. Several better encoding schemes exist: base64, base58, base58check, ...

My vote would be base58, since it has removed ambiguous characters, to further aid human reading/writing. Base58check could be an additional option, for added robustness.

Here is an example of how the output looks today:

$ echo "My super important password." | ./ssss-split -t 3 -n 5
Generating shares using a (3,5) scheme with dynamic security level.
Enter the secret, at most 128 ASCII characters:
Using a 224 bit security level.
1-df89a2cc946bdd34a145e43e23049a2f3a2627549ab236c99597c2c7
2-8b2d44ece8c8999825beeff8aa2391b252e64d58a4d9af3203d434a0
3-6ff86a54b5c344b5af4f463e3907a06782650df6de5488de775f32a1
4-bcd14ae6e4cdbc735806cfcc750bb8e7ff359d44ae01aa360bf6d9e4
5-5804645eb9c6615ed2f7660ae62f89322fb6ddead48c8dda7f7ddff7

Here is what it would look like with base58 encoding:

$ echo "My super important password." | ./ssss-split -t 3 -n 5
Generating shares using a (3,5) scheme with dynamic security level.
Enter the secret, at most 128 ASCII characters:
Using a 224 bit security level.
1-2ts4hvvvbmS133TPpSvXqrEU8zogRkivqVuMR9J
2-2yuyxmRuJvJuvQnWNTaWVgw3ZP9taTupsNeCAXC
3-hUH51Uk7VBgyTRbY1ruNfCmuyBGJM4iR8Ccsh5
4-awYHzhnewrnPjZx4PSheMizN7yJWrhRxJD1VeT
5-2vu8DhkfH9REFJ1m5WfwVEE5BSyXKFhcdAaMLJc

Notice the base58 codes are much shorter and easier to copy. The base58 strings are approximately 33% shorter in length.

This could/should be made the default encoding scheme, but an option can be added for the legacy encoding scheme, for backwards compatibility.

Of course all of this is just my opinion, but I think there is a strong argument for base58 being more robust, and robustness is a key design goal of this tool.

gmp library linking error in Makefile

On line 8 of Makefile, cc should take -lgmp option later than source code.

Otherwise undefined reference error can occur.

/tmp/ccDyHO5q.o: In function `field_init':
ssss.c:(.text+0x1a8): undefined reference to `__gmpz_init_set_ui'
ssss.c:(.text+0x1b5): undefined reference to `__gmpz_setbit'
...

Related note

Query: Unsure why input size capped at 1024 bits?

Does extending it make the output shares more unwieldy or less secure?

Failing key verification during installation

Seems there is a problem with the line
validpgpkeys=('6DD601691023247FB4FE63A3498FCFAD9FE6855B') # Jon Frisby <[email protected]>
yay fails with

 -> 6DD601691023247FB4FE63A3498FCFAD9FE6855B, required by: ssss
==> Import? [Y/n]
:: Importing keys with gpg...
gpg: keyserver receive failed: General error

When I tried with makepkg -si, failed in similar vain:

    ssss git repo ... FAILED (unknown public key 7F7CFB137DCB12A7)
==> ERROR: One or more PGP signatures could not be verified!

Syntax error in Makefile

There is a syntax error in the Makefile on lines 16-19:

nickel ~/repositories/opensource/ssss (master)$ make
cc -W -Wall -O2 -lgmp -o ssss-split ssss.c
strip ssss-split
ln -f ssss-split ssss-combine
if [ `which xmltoman` ]; then xmltoman ssss.manpage.xml > ssss.1; else echo "WARNING: xmltoman not found, skipping generate of man page."; fi
WARNING: xmltoman not found, skipping generate of man page.
if [ -e ssss.1 ]; then
/bin/sh: -c: line 1: syntax error: unexpected end of file
make: *** [ssss.1] Error 2