Comment by fovc
5 years ago
Thomas Pornin didn't have great things to say about ssss: https://security.stackexchange.com/a/83924
Not sure if those points are still relevant
5 years ago
Thomas Pornin didn't have great things to say about ssss: https://security.stackexchange.com/a/83924
Not sure if those points are still relevant
I think that ssss was written to operate on passwords and its implementation is based on the original paper and so reasonably does not employ the more efficient implementation means.
My experience with Shamir Secret Sharing software is that it's mostly snake oil, pushed by snakeoil vendors:
https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil
Probably the best fast way to get an intuition for this is to realize that Shamir Secret Sharing is literally a generalization of the One Time Pad to support N of M threshold security and so it shares in common much of the same "theoretically perfect", "insecure in practice", and "highly appealing to people who don't know better" properties.
Of course, there are places to use it-- especially embedded inside other systems-- but unfortunately most of the interest comes from places where it doesn't make sense and this reality is reflected in the software.
your link brings up an excellent point about multisig being a much better option for guarding cryptocurrency (because the shards don't need to be brought together on a single device.)
but sometimes you just have to write down passwords. you can use a password manager, but then you need to guard the master password. you can use a TPM with a PIN, but what if you lose the PIN or get hit by a bus or the TPM gets fried?
so either you write down the whole password in at least one place, or you write down shards. shards seem safer.
Yes, there can be cases. Though many of them can be addressed with encryption, e.g. just creating a two factor auth.
The added threshold part is often not easy to justify vs, something like having two factors (data and key) and backups of each.
It's also the case that my link is specific to Bitcoin where there are really good alternatives.
1 reply →
I’m usually pretty wary of heavily opinionated wiki essays. “It’s not often implemented properly” with two examples of how it’s failed while ignoring all the correct deployments seems pretty skewed. The essay even concludes that SSS used in higher order group-share protocols is fine because there’s a “high bar for correctness”. You can probably sum up the entire rant as “don't roll your own crypto” and “use the right tool for the job”.
> “don't roll your own crypto”
All the fault information there is in software people would have gone and downloaded instead of "rolling their own".
It's not like cryptography software is magical gift from the gods, someone wrote it.
And often the people writing SSS software do not do a good job, partially because the properties that SSS by itself provides are not very useful and if they were thinking carefully they wouldn't write it at all.
1 reply →
It’s not particularly damning, either. He seems to outline characteristics of a solid SSS design which, in my experience, are exhibited by popular implementations these days.
There is also libgfshare which seems to be the recommend tool.