For "everyday" practical use, there is also a really simple command line utility around called `ssss` which is available in many distro repos[1]. Debian has it since Jessie[2] and Ubuntu since around 12.04.
I think that ssss was written to operate on passwords and its implementation is based on the original paper and so reasonably does not employ the more efficient implementation means.
Probably the best fast way to get an intuition for this is to realize that Shamir Secret Sharing is literally a generalization of the One Time Pad to support N of M threshold security and so it shares in common much of the same "theoretically perfect", "insecure in practice", and "highly appealing to people who don't know better" properties.
Of course, there are places to use it-- especially embedded inside other systems-- but unfortunately most of the interest comes from places where it doesn't make sense and this reality is reflected in the software.
It’s not particularly damning, either. He seems to outline characteristics of a solid SSS design which, in my experience, are exhibited by popular implementations these days.
One idea this inspired me with is to create a single html file which contains both the code to assemble a SSS secret (from other HTML files or the base64 encoded secrets). The key thing that I think would help SSS work is to bundle both the secret part and the code to decode it in combination with the other parts. Said code should also be easy to run for the foreseeable future which is why HTML and JavaScript is a good choice.
I've been trying to come up with a good way to give my loved ones access to my KeePass vault in case I am incapacitated/dead. ssss for the password isn't great because I don't want something complicated and error prone.
My usual method for syncing my vault is to use Google Drive and this method would work well with this since I can just give said family members access to the encrypted vault but send the keys individually. Since I don't rotate the password on this vault, these partial keys only need to be sent once.
I don't need anything too complicated. I just need to be able to set it up such that any two of my trusted love ones can access this vault in an emergency.
Hi, OP here. I made this little tool in a few hours to play with SSS, for an upcoming interactive article on end-to-end encryption. It uses the @stablelib/tss NPM package to do the heavy lifting. The UI is made with ChakraUI [1] & Next.js [1], source on GitHub [2].
This implementation is flawed. Each shard gets a unique substitution cipher making this nothing more than a cryptogram generator. Input "aaaaabbbbbcccccdddddeeeee" with any number of shards/threshold to see.
Taking the message bytes (starting at byte 23), you can run a frequency analysis and recover any sufficiently long english message from a single shard.
I have not come across a good library that implements SSS over finite fields that was easy-to-use, reliable, or robust. Any suggestions would be welcome.
On the topic of shamir shares, plugging a question I asked yesterday[1]: how do you manage them if you want to get them onto hardware? Do you just ask your tokens to encrypt the pieces and store the encrypted pieces along with the main ciphertext?
Something cool you can do that I recently found out about is use libgfshare to split a text file using whatever C and T shares you want. Then use scrypt on the split shares with a password you won't forget. Once encrypted with scrypt simply take a JPEG and `cat` the scrypt encoded share to the end of a JPEG and send it in an email to a friend, doing this for each share where you know you'd be able to get enough original copies back.
There are some tricks to do this correctly but once you have enough shares copy the scrypt binary data back to individual files and decrypt it. Then combine the shares and voila your friends have helped you keep something secret that even if enough of them turned on you they would still need the scrypt decryption password.
that's really cool, I've been playing w/ Shamir a bit. I noticed I could change the last character of one share and still get back the secret. not every replacement character worked, though. any idea why?
Is there any kind of standard for this? Every SSS implementation I've seen has its own custom format for the shards, so if you lose the program that reassembles them you can't recover the secret.
It's not a great choice though. The idea of horcrux is that any piece is enough which is basically exactly the opposite of what shamir secret does ;) It was a much better choice for a script with the same name I used a while ago that would duplicate backups on several storage systems.
Anyway, who cares about the name, it's a pretty cool website :)
For "everyday" practical use, there is also a really simple command line utility around called `ssss` which is available in many distro repos[1]. Debian has it since Jessie[2] and Ubuntu since around 12.04.
[1] https://repology.org/project/ssss/versions
[2] https://packages.debian.org/source/jessie/ssss
Thomas Pornin didn't have great things to say about ssss: https://security.stackexchange.com/a/83924
Not sure if those points are still relevant
I think that ssss was written to operate on passwords and its implementation is based on the original paper and so reasonably does not employ the more efficient implementation means.
My experience with Shamir Secret Sharing software is that it's mostly snake oil, pushed by snakeoil vendors:
https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil
Probably the best fast way to get an intuition for this is to realize that Shamir Secret Sharing is literally a generalization of the One Time Pad to support N of M threshold security and so it shares in common much of the same "theoretically perfect", "insecure in practice", and "highly appealing to people who don't know better" properties.
Of course, there are places to use it-- especially embedded inside other systems-- but unfortunately most of the interest comes from places where it doesn't make sense and this reality is reflected in the software.
6 replies →
It’s not particularly damning, either. He seems to outline characteristics of a solid SSS design which, in my experience, are exhibited by popular implementations these days.
There is also libgfshare which seems to be the recommend tool.
One idea this inspired me with is to create a single html file which contains both the code to assemble a SSS secret (from other HTML files or the base64 encoded secrets). The key thing that I think would help SSS work is to bundle both the secret part and the code to decode it in combination with the other parts. Said code should also be easy to run for the foreseeable future which is why HTML and JavaScript is a good choice.
I've been trying to come up with a good way to give my loved ones access to my KeePass vault in case I am incapacitated/dead. ssss for the password isn't great because I don't want something complicated and error prone.
My usual method for syncing my vault is to use Google Drive and this method would work well with this since I can just give said family members access to the encrypted vault but send the keys individually. Since I don't rotate the password on this vault, these partial keys only need to be sent once.
I don't need anything too complicated. I just need to be able to set it up such that any two of my trusted love ones can access this vault in an emergency.
I made exactly that a while ago: https://github.com/ruphin/inline-shamir
My use case was that I need to encrypt/decrypt private keys on an offline device, and I wanted a single file "program" that runs on any device.
Polychain Labs open sourced a Shamir's secret sharing CLI tool by the same name 2 years ago.
https://github.com/polychainlabs/horcrux
https://www.dictionary.com/e/pop-culture/horcrux/
Hi, OP here. I made this little tool in a few hours to play with SSS, for an upcoming interactive article on end-to-end encryption. It uses the @stablelib/tss NPM package to do the heavy lifting. The UI is made with ChakraUI [1] & Next.js [1], source on GitHub [2].
[1] https://chakra-ui.com
[2] https://nextjs.org
[3] https://github.com/franky47/francoisbest.com
to be fair - this cool, but the heavy lifting part is actually the interesting one
Ian Coleman made one of these a few years back which is also great: https://iancoleman.io/shamir/
This implementation is flawed. Each shard gets a unique substitution cipher making this nothing more than a cryptogram generator. Input "aaaaabbbbbcccccdddddeeeee" with any number of shards/threshold to see.
Taking the message bytes (starting at byte 23), you can run a frequency analysis and recover any sufficiently long english message from a single shard.
I have not come across a good library that implements SSS over finite fields that was easy-to-use, reliable, or robust. Any suggestions would be welcome.
On the topic of shamir shares, plugging a question I asked yesterday[1]: how do you manage them if you want to get them onto hardware? Do you just ask your tokens to encrypt the pieces and store the encrypted pieces along with the main ciphertext?
[1] https://security.stackexchange.com/questions/245233/long-ter...
I've seen this before: it's awesome :) For those who are unfamiliar with SSS: https://qvault.io/2020/08/18/very-basic-shamirs-secret-shari...
This is a really nice UI wrapper around the @stablelib/tss (https://www.stablelib.com/modules/_tss_tss_.html) library if you fancy building your own.
Something cool you can do that I recently found out about is use libgfshare to split a text file using whatever C and T shares you want. Then use scrypt on the split shares with a password you won't forget. Once encrypted with scrypt simply take a JPEG and `cat` the scrypt encoded share to the end of a JPEG and send it in an email to a friend, doing this for each share where you know you'd be able to get enough original copies back.
There are some tricks to do this correctly but once you have enough shares copy the scrypt binary data back to individual files and decrypt it. Then combine the shares and voila your friends have helped you keep something secret that even if enough of them turned on you they would still need the scrypt decryption password.
that's really cool, I've been playing w/ Shamir a bit. I noticed I could change the last character of one share and still get back the secret. not every replacement character worked, though. any idea why?
Base64 padding, probably.
Is there any kind of standard for this? Every SSS implementation I've seen has its own custom format for the shards, so if you lose the program that reassembles them you can't recover the secret.
just go to https://francoisbest.com/horcrux and set Number needed to 10. It blows up
I set the maximum to 8, what browser are you on ?
Typing any additional number into the "number needed" field with keyboard on Chrome immediately shows "An unexpected error has occurred."
1 reply →
Very cool, just a pity about the name
The name is a reference to Harry Potter books.
It's not a great choice though. The idea of horcrux is that any piece is enough which is basically exactly the opposite of what shamir secret does ;) It was a much better choice for a script with the same name I used a while ago that would duplicate backups on several storage systems.
Anyway, who cares about the name, it's a pretty cool website :)
2 replies →
I know. Have you seen what the author has been up to lately?
3 replies →