Versão em Português

The ShareSec Program

Tears a user-supplied or computer-generated secret in m parts so that n of them will be later needed to stitch the secret back. Useful as a backup when the primary owner of the secret goes unavailable.

Usage Scenario

Suppose your employees, security-conscious as they are, encrypt all sensitive material in their computers. On the night before an important bid, the guy who prepared the proposal gets hit by a truck; the physicians say he'll live, but won't wake up anytime soon. You could lose the bid because your encryption scheme is so secure that you can't break into your empolyee's files.

This is in fact one of the reasons many businesses don't use cryptography. It is just too secure -- so much that it doesn't naturally provide a plan B when things like that happen.

The sharesec program provides a solution to that problem as a kind of "shared key escrow": when you choose or generate a secret, it is split in several parts that you distribute among people you more-or-less trust. If you become unavailable, a number of them can agree to use their shares to recreate your original key.

In our example, your employee would have diligently split the encryption key in several shares that he distributed among his boss and coworkers. Upon hearing the bad news, some of them mutually agree that the situation is serious enough to require the reconstruction of the encryption key so that they can recover the original files and take on the bid.

Why not simply give the other people a copy of the employee's encryption key? Because that would empower them to read the employee's files at any time, needing neither to inform nor ask permission to anyone -- an invitation to abuse. By splitting the passphrase, we need a minimum quorum to do that.

sharesec solves two other problems:

• To prevent people from choosing weak passwords, sharesec sports a built-in random passphrase generator. It encodes the passphrases using common english words, so as to make them easier to remember and to type. When used in interactive mode, the program displays several suggestions and the user can choose the one that he/she finds easiest to remember.
• sharesec can output the shares already PGP-encrypted to the public keys of their respective shareholders. That way, after the user has chosen his/her passphrase, no sensitive information is displayed onscreen.

Sample Sessions

Genereating a secret and splitting it in three encrypted shares

Imagine Mr. John Doe just joined our company and it is time to set up his encrypted volume. In order to generate the passphase, he runs sharesec in his machine like the sample session below:

$ sharesec -t 2 -n 3 -w johndoe -g diceware::en -i -r kiko,evandro,lincoln

Choose: below we have 6 passphrase suggestions (more if you think of columns
------- instead of just rows). Choose one you find the easiest to memorize:

   1: pill anew pave pock chin zero
   2: rail skip slim eddy baud runt
   3: curl soda arty bark drop pier
   4: wont peep what atop hair undo
   5: dour yank nook sail life aloe
   6: bart bloc lies sewn fads call

 Tip: take your time. Don't try to choose in a hurry.

-- Press ENTER when ready to practice or any other key for more suggestions --

Attempt 1/3 -- New passphrase: [     OK    ] (... user correctly typed one of the above ...)

Attempt 2/3 -- New passphrase: [     OK    ] (... again ...)

Attempt 3/3 -- New passphrase: [     OK    ] (... yet again ...)

Using a 232 bit security level.
Using '/home/kiko/.gnupg/pubring.gpg'
-----BEGIN PGP MESSAGE-----
Version: sharesec-0.8.1
Comment: johndoe-1/3 to kiko on 2007-04-02

wcFOA1QoVsH6jef9EAgA8g7tIwQO5XJpOnOpPMHRUyb1KO6Q/ZCBurFgYnwP6gA7
GhWL85fUVh3sfhLcTrn/tYvzV9wzyFvaLnqaPYaeLYR/ZjFR1MwRnPKsBBrXj76V
1NmXhCbjVmnrRcOGc+dQUTjn8E1XZm7RrYGz21DuYJWTBcnFtAxfXZ7mV0XmAhyi
CQ5TUTnH61qhH9JwSOiWap6q1oXklLQxRNsj/ODcsuYK2TDav4Gh7xmSt7yO1NVF
duCOtAcpShLV1H1UKZirx8GpKzmy8qrY9/dcN8PVZtki/Fc1rs3FV9TG1QPCZKPD
x1q2A/2sKqgu3qArA7frvUMtJYZt50gHXU2Ht0v+CggAqpZ4F1zp1AXoHww1SjiJ
9eUDCWgEhGLVGqrMiYq64fD1FcHersN+fEYwrvGC2EMe7cjuNCAyCympJHjhND+r
vMVEDptZhqzUw/Bit1xVUfB1ZMENBCY/1E8xrwzpbX3oYaVDfvN6fyLwNCHCKHBJ
bqvA2K+TeJIWXjs/N1cVjj1nNT5+R9s059i2flxqaO+Fy2RMNrefsyGjt6SrBM/e
07e9J+CLHGss+4Ft4U4Ye67polCCEy5QgZy0KdDAg4TE3aG5ONK/0joK4KTOkiFd
ApDgmOPfIOyVRak/bb0QCHwFJ8rvLJ59jf5MD6Nn3kIJQIB5d6FGbxAkx54gh2si
FslYNk176XKYKVdcOJxLikp5jssWzYPhjU3CBtOEmQNFGc0lYuytr7s2v+uxOeTD
2LY7wcbSK2OXcTLSB7tUFau6UxvEOW3N3GNDZdw1N1bI+XHtNkAKmWGSPg==
=gadF
-----END PGP MESSAGE-----

-----BEGIN PGP MESSAGE-----
Version: sharesec-0.8.1
Comment: johndoe-2/3 to evandro on 2007-04-02

wcFOA9623ev/bXs/EAf/QJuBwfvFxG67DwUuL1Yb7pwR4n6hq1vnPnfdY7ykzrBQ
5dG++E+6IpQ7hnuK7hBbjWFJATNncLiEuWseTsyuuroqxR+tSMVfjcrE+Dfi9/qb
vS0DdneXmvf++qvJ4WbCl+VDd8aoD3fMNIjtKkxtP2mdn48xks77UQ0uSNEzIoXE
d/lU02USh9Ojehm97ASD0fxyWcFASIU7opW+iSumKbsCGvUpxN487a6AQB7ipRQ7
63pIT5xfsbwHFaAi6XDvlv+XoCweyRYFgfWXa39ojZ6Is0rh774QF3DIfONYJ7K/
Cr1pX5LTDDLfKm+1zJZQ8LprTXbrYWpkZjInfiMATwf8CwOXcg5FsPR1xyoAilZu
tJiPY7MBo98fobSFGK8h25yojqzkArh0+Bq1Rpl173+luV6lJNH7zOb4TjPhQKGy
6sjEvR1z4nd7iD385is2xaN+sKt44kbMjrLaIbXtKPAuMujXxh0/qm/IXERB+1xr
EQuGZYhF+VZB3SXVeG1pFjUNuaom3qJ48pdnRBqdzFaJ6KltcVJlg50C8XHmSfgI
Z3WrIVpquUCoDvTXfKH92TvhXI/LLwJn5Eh2vcALMCY61leUALoLULn/+RdrvUEY
Y3TSWIfPT4NicivPzOFvAXwm7WgHbCW9GidynnHXFSLnbqiGCDDufRIO5HSyhtIV
jclYatZEOt9SWSVZblmFmjEOEMdVQYP+TwsbTyqQR6fLhQYaKWlbpb3Rr2E68hFI
sBvzLhDkPEHz2JTjH6+9M5um1NcE7bYHYngssJdvB5YE4lT/QfaiIkm9Ww==
=DVyR
-----END PGP MESSAGE-----

-----BEGIN PGP MESSAGE-----
Version: sharesec-0.8.1
Comment: johndoe-3/3 to lincoln on 2007-04-02

wcFOA2YpBGrW72eAEAf9HypKnmPZFYzHgj8h1V3dmwfU2Sd51P3M8OgRofMKQ/zY
D2wTrbfSZVdyr+e7M2pFxpm80Lupkbcmjb/8URMucNtIeL125/zPV+OhiKwqk5Li
7UJo3+e3J1ttSmr0f+e1igNX2JYQL/2Vg+Ivl9xJxT4SnwlHnr79QOaAlTTmfNQ/
vBE4NfM1GbGLEwASnDlWbF3aSqZtX3VCcx4E2EbgakyhsLajTk2ZFC6iHOtY6N2+
+Q6cH9Oi9x8YxSX8ts7JUs1a3nfgC3L0vQzjFGZsMXdW3Dt494jlxVroJcHQyzee
DLxlukV8jfeg635i27Li82ot6KCYOr3cYQgKewPRMwgA1C462G/c86yzsZ5LbXAH
GZLsQAJ+k1+3pBhUmqw9sXiOuF9U9zA7nS6Zb5RRjnGMM3hxe8NTWY5jzmKv+1ne
w+rSLm0kU96T5FcCjCuYLIw9f48yoTt5AgyKkpgv+wKgZRjTKfsM9Tm6UkP7g1ZO
DSb+OembvPZlCSahZNJtqMZpDw6AHN0CRNT56YvtJaWzS+UJYLkK8qAraCkmtld9
uJi78B2autoN5f4saU8ggob86tCpvGDI5vXynmU+a7YbaR7ks1qsq/BbUqM249Qh
iABiTkG4BOIPAcLePQGXI50E0XgMZGIl7+zjuE5vPSYZ7iBltzkJat+ak9T1EJEy
8MlYhdoTuvdwfwORXCJiglTq7JNPfgLDpXDddlPI9GSG6H6eUVxTvByWuIAifHSp
V2AJpWX001iIZyCnBBSOE2qkZfcSdzHX5+zZ+deojjjTefDYxn/qxvRdDw==
=QAzW
-----END PGP MESSAGE-----

He then mails those PGP messages to each shareholder.

Recovering the Passphrase

Now suppose John Doe is on vacation trekking on the Diamantina Highlands with no cell phone coverage or any kind of connectivity. The sales department then says they urgently need an important file from his backups for a bid due tomorrow. After convincing me and another shareholder (say, Evandro) that there is no other way, we all agree to reconstruct his password. I use my PGP software to decrypt the message addressed to me, recovering my share; and Evandro does likewise. Below we see how simple the reconstruction session is;

# sharesec -t 2
Enter 2 shares separated by newlines:
Share [1/2]: johndoe-2/3-4FF3819CCAA5FF40F25EDBB9CF64BD2E5E51F9F77389A73346C6D9A84B
    (... screen cleared so that the other shareholder won't see our share ...)
Share [2/2]: johndoe-1/3-781D337E97284EEE577C9EE49D77114692255F7AE5906A36CD3C690C2E
Resulting secret: wont peep what atop hair undo

Other features

sharesec can also generate a secret non-interactively or accept secrets of your own choosing from the standard input. Besides, it can generate the shares without encrypting them.

To-Dos

The binaries are way larger than they needed to be. The secret sharing algorithm implementation uses GNU MP, while the PGP encryption part uses CryptLib, so we end up with two bignum libraries. Perhaps a much better approach would be to rewrite the whole program to use either GMP's or CryptLib's bignums. Or we could write a lightweight PGP encrypt-only library using OpenSSL and write the secret sharing part to use OpenSSL's bignums. (Tom Zerucha wrote such a PGP library, but I was unable to get it to work... but perhaps I didn't try hard enough, given that PGP encryption is so easy to do with CryptLib).

But I very much doubt I'll have the time to do any of this. As ugly as the solution currently is, it works well enough for me.

Credits

sharesec is based on the original ssss-0.5 by B. Poettering. See his page:

• http://point-at-infinity.org/ssss/

sharesec and the ssss utilities are compatible; you can generate the shares with one and reconstruct them with the other, or the other way around.

sharesec uses the CryptLib Encryption Toolkit by Peter Gutmann.

License and Downloads

sharesec is avaiable under the terms of the GNU GPL v2.

• Sources: sharesec-0.8.1.tar.gz
• Binaries for Windows: sharesec-0.8.1-win32-cygwin.zip (includes cygwin1.dll).
• Binaries for Linux/x86: sharesec-0.8.1-linux-i586.tar.gz
• Binaries for Linux/SPARC: sharesec-0.8.1-linux-sparc.tar.gz
• Binaries for MacOS X 10.4 for Intel: sharesec-0.8.1-macosx-10.4.9-x86.tar.gz

Further Reading

• http://en.wikipedia.org/wiki/Secret_sharing
• My paper about improvements to the Diceware method.