Rusty Secrets Build Status Coverage Status

Documentation

Rusty Secrets is an implementation of a threshold Shamir's secret sharing scheme.

Design goals

The main use for this library is to split a secret of an arbitrary length in n different shares and t-out-of-n shares are required to recover it. The dealer is assumed to be honest (and competent). We further assume that our adversary will only be able to compromise at most t-1 shares. Shares are kept offline.

A typical use case for this library would be splitting an encryption key to a TrueCrypt-like volume.

Implementation

Structure of the shares

  2-1-LiTyeXwEP71IUA
  ^ ^ ^^^^^^^^^^^^^^
  K N        D        

A share is built out of three parts separated with a dash: K-N-D.

  • K specifies the number of shares necessary to recover the secret.
  • N is the identifier of the share and varies between 1 and n where n is the total number of generated shares.
  • The D part is a Base64 encoding of a ShareData protobuf containing information about the share, and if signed, the signature.

Signatures

There are a few issues with regular Shamir's secret sharing that we wanted to address:

  • a share can be corrupted or incorrectly entered.
  • a malicious share holder can modify the secret that would be recovered by modifying his share.
  • a user has multiple shares from different secret shares and he doesn't know which one belongs to a specific instance.

All of these issues would result in a corrupted secret being outputted and the program, that wouldn't even know that the secret got corrupted, wouldn't be able to give any actionable information.

We addressed this by signing the shares by the dealer and encoding the public key into each share. After the generation of the shares, the dealer erases both the secret and the private signing key used to sign the shares. When recovering the secret, the program verifies that public keys and if some shares do not have the same public key, or a valid signature of that public key, signals the issue to the user with a helpful message.

Signing shares is optional and the usefulness of signing the shares depends on the use case. Since we're using hash-based signatures (using SHA-512 Merkle signing), there is a large overhead from using signatures.

Bug Reporting

Please report bugs either as pull requests or as issues in the issue tracker. RustySecrets has a full disclosure vulnerability policy. Please do NOT attempt to report any security vulnerability in this code privately to anybody.

License

See LICENSE.

Vocabulary

  • Dealer: Entity that will perform key splitting from a master secret
  • Shares: Part of the split secret distributed

Credits

Rusty Secrets was forked off sellibitze's secretshare.



Rusty Secrets Build Status Coverage Status

文档

生锈的秘密是实施阈值 Shamir的秘密共享方案

设计目标

这个库的主要用途是分割不同份额的 n 任意长度的秘密,而 -out-of- n 股份需要恢复。经销商被认为是诚实(和胜任)的。我们进一步假设我们的对手最多只能妥协t-1 。股票保持离线。

此库的典型用例是将加密密钥分解为类似TrueCrypt的卷。

实现

股份结构

  2-1-LiTyeXwEP71IUA
  ^ ^ ^^^^^^^^^^^^^^
  K N        D

共享内容分为三个部分,用短划线分隔:K-N-D。

  • K指定恢复密码所需的份数。
  • N是共享的标识符,在1和n之间变化,其中n是生成的共享总数。
  • D部分是包含ShareData protobuf的Base64编码,其中包含有关共享的信息,如果签名,则为签名。

签名

我们想要解决的常规Shamir秘密共享有一些问题:

  • 共享可能已损坏或输入错误。
  • 恶意股份持有人可以通过修改其份额来修改将被收回的秘密。
  • 用户拥有来自不同秘密股份的多个股份,他不知道哪一个属于特定实例。

所有这些问题都会导致输出的密码被破坏,程序甚至不知道这个秘密被破坏,将无法给出任何可操作的信息。

我们通过签署经销商的股份并将公钥编码到每个股份中来解决这个问题。发行股票后,经销商将删除用于签署股份的秘密和私人签名密钥。当恢复密钥时,程序会验证公钥,如果某些共享公钥不具有相同的公共密钥或该公钥的有效签名,则会向用户发出有用的消息。

签署股份是可选的,签署股份的有用性取决于用例。由于我们使用基于哈希的签名(使用SHA-512 Merkle签名),因此使用签名有很大的开销。

错误报告

请在问题中将问题报告为拉请求或问题 跟踪器。 RustySecrets 有一个 完全公开漏洞策略。 请勿尝试报告 任何人都可以私密地将此代码中的任何安全漏洞。

许可证

请参见许可证

词汇

    经销商:将从主秘密执行密钥拆分的实体
  • 分享:分配的秘密的一部分分发

信用

生锈的秘密被 sellibitze的秘密分享




相关问题推荐