mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-22 19:44:21 +01:00
178 lines
4.1 KiB
HTML
178 lines
4.1 KiB
HTML
|
<body text="#000000" link="#0000ff" bgcolor="#ffffff"><center><table width="80%">
|
||
|
<tr><td><h1>ssss</h1>
|
||
|
<h2>Split and Combine Secrets using Shamir's Secret Sharing Scheme.</h2>
|
||
|
|
||
|
|
||
|
<h2>Synopsis</h2>
|
||
|
<b>
|
||
|
ssss-split -t <em>threshold</em> -n <em>shares</em> [-w <em>token</em>]
|
||
|
[-s <em>level</em>] [-x] [-q] [-Q] [-D] [-v]<br>
|
||
|
|
||
|
ssss-combine -t <em>threshold</em> [-x] [-q] [-Q] [-D] [-v]<br>
|
||
|
|
||
|
</b>
|
||
|
|
||
|
|
||
|
<h2>Description</h2>
|
||
|
|
||
|
<p>ssss is an implementation of Shamir's Secret Sharing Scheme. The
|
||
|
program suite does both: the generation of shares for a known secret,
|
||
|
and the reconstruction of a secret using user-provided shares.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<h2>Commands</h2>
|
||
|
|
||
|
<p><b>ssss-split</b>: prompt the user for a secret and generate a set of
|
||
|
corresponding shares.</p>
|
||
|
|
||
|
<p><b>ssss-combine</b>: read in a set of shares and reconstruct
|
||
|
the secret.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<h2>Options</h2>
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-t <em>threshold</em></b></p>
|
||
|
<p>Specify the number of
|
||
|
shares necessary to reconstruct the secret.</p>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-n <em>shares</em></b></p>
|
||
|
|
||
|
<p>Specify the number of shares to be generated.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-w <em>token</em></b></p>
|
||
|
|
||
|
<p>Text token to name shares in order to avoid confusion in case one
|
||
|
utilizes secret sharing to protect several independent secrets. The
|
||
|
generated shares are prefixed by these tokens.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-s <em>level</em></b></p>
|
||
|
|
||
|
<p>Enforce the scheme's security level (in bits). This option
|
||
|
implies an upper bound for the length of the shared secret
|
||
|
(shorter secrets are padded). Only multiples of 8 in the range
|
||
|
from 8 to 1024 are allowed. If this option is ommitted (or the
|
||
|
value given is 0) the security level is chosen automatically
|
||
|
depending on the secret's length. The security level directly
|
||
|
determines the length of the shares.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-x</b></p>
|
||
|
|
||
|
<p>Hex mode: use hexadecimal digits in place of ASCII characters for
|
||
|
I/O. This is useful if one wants to protect binary data, like
|
||
|
block cipher keys.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-q</b></p>
|
||
|
|
||
|
<p>Quiet mode: disable all unnecessary output. Useful in scripts.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
<p><b>-Q</b></p>
|
||
|
|
||
|
<p>Extra quiet mode: like <b>-q</b>, but also suppress
|
||
|
warnings.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-D</b></p>
|
||
|
|
||
|
<p>Disable the diffusion layer added in version 0.2. This option
|
||
|
is needed when shares are combined that where generated with
|
||
|
ssss version 0.1.</p>
|
||
|
|
||
|
|
||
|
|
||
|
<p><b>-v</b></p>
|
||
|
|
||
|
<p>Print version information.</p>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<h2>Example</h2>
|
||
|
|
||
|
<p>
|
||
|
In case you want to protect your login password with a set of ten
|
||
|
shares in such a way that any three of them can reconstruct the
|
||
|
password, you simply run the command
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
ssss-split -t 3 -n 10 -w passwd
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
To reconstruct the password pass three of the generated shares
|
||
|
(in any order) to
|
||
|
</p>
|
||
|
|
||
|
<p>
|
||
|
ssss-combine -t 3
|
||
|
</p>
|
||
|
|
||
|
|
||
|
|
||
|
<h2>Notes</h2>
|
||
|
|
||
|
<p>
|
||
|
To protect a secret larger than 1024 bits a hybrid technique has to be
|
||
|
applied: encrypt the secret with a block cipher and apply secret
|
||
|
sharing to just the key. Among others openssl and gpg can do the
|
||
|
encryption part:
|
||
|
</p>
|
||
|
<p>
|
||
|
openssl bf -e < file.plain > file.encrypted
|
||
|
</p>
|
||
|
<p>
|
||
|
gpg -c < file.plain > file.encrypted
|
||
|
</p>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<h2>Security</h2>
|
||
|
|
||
|
<p>
|
||
|
<b>ssss</b> tries to lock its virtual address space into RAM for
|
||
|
privacy reasons. But this may fail for two reasons: either the current uid
|
||
|
doesn't permit page locking, or the RLIMIT_MEMLOCK is set too
|
||
|
low. After printing a warning message <b>ssss</b> will run even without
|
||
|
obtaining the desired mlock.
|
||
|
</p>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<h2>Author</h2>
|
||
|
|
||
|
This software (v0.5) was written in 2006 by B. Poettering
|
||
|
(ssss AT point-at-infinity.org). Find the newest version of
|
||
|
ssss on the project's homepage: <a href = "http://point-at-infinity.org/ssss/">http://point-at-infinity.org/ssss/</a>.
|
||
|
|
||
|
|
||
|
|
||
|
<h2>Further reading</h2>
|
||
|
|
||
|
<a href = "http://en.wikipedia.org/wiki/Secret_sharing">http://en.wikipedia.org/wiki/Secret_sharing</a>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
</td></tr></table></center>
|
||
|
</body>
|