[distorted-keys] / README

distorted.org.uk KEY MANAGEMENT

The various files are organized into subdirectories as follows.

infra/			Infrastructure keys used to keep this system going.
recov/

File extensions used are as follows.

.pub		Seccure public key.  (See description of Seccure data
		formats below.)

.recov		Seccure ciphertext of key


recov.pub	`seccure' public key for recovery

krb5-master	Kerberos master password
bkp-LABEL	LUKS keyfile for backup volume LABEL
disk-HOST	LUKS keyfile for HOST's disk

keys/
|- keeper/
|  '- KEEPER/
|     |- meta
|     '- I.pub
|- key/
|  '- ???
'- recov/
   '- RECOV/
      |- keepers
      |- current@
      '- I/
	 |- pub
      	 |- KEEPER.param
	 |- KEEPER.I.share
	 '- SECRET.recov


* Reference

** Asymmetric cryptography

I've used B. Poettering's Seccure package for my asymmetric
cryptography.  It's been in Debian for a fair while and seems sane. If
you're interested in what it does, I wrote my own implementation in
Python.  It seems pretty sensible, actually.  It uses ECIES with AES
in counter mode, and SHA256-HMAC for asymmetric encryption, and a
variant of ECDSA with SHA512 for signatures.

Seccure wants to read a single line of stuff as a passphrase.  I use
this rune to generate a public key.

	dd if=/dev/random of=master bs=1 count=512 |
		openssl sha384 -binary >priv

To derive the public key, I say this:

	openssl base64 -in priv | seccure-key -q -F/dev/stdin -cp256 >pub

For encryption, I use a 128-bit MAC.  For decryption, you need this rune.

	openssl base64 -in priv |
		seccure-decrypt -q -F/dev/stdin -m128 ciphertext

** Secret sharing

I've written my own tool for doing Shamir secret sharing.  The
underlying machinery is compatible with Daniel Silverstone's `gfshare'
program and my Catacomb library's secret sharing.  My `shamir' program
has a number of important differences:

  * it produces output as plain text files which can be transported
    easily and so on;

  * it includes metadata, such as the number of shares, the threshold,
    and a hash of the final secret, along with the share data;

  * it stores the share index with the share data too, rather than
    encoding it in the file name where it's likely to be lost; and

  * it doesn't choose random share indices when issuing shares,
    because that's pointless.

The `shamir issue' command writes one line for each share that it
produces.  I use this rune to split them into separate files.

	shamir issue 3/5 master |
		sed 's/^.*;i=\([^;]*\);/\1 &/' |
		while read i share; do
		  echo $share >master.$i
		done

You can recover the original secret by feeding shares, one per line,
into `shamir recover'.  All of the parameters are in the share data,
so you don't need to know any of them.  (I used the defaults anyway,
since I carefully chose them to match what I wanted.)

A share line has the following format:

	shamir-share:KEY=VALUE;KEY=VALUE;...

where the following keys are defined (they must appear in this order):

  * n = total number of shares issued;
  * t = threshold (i.e., number of shares needed for recovery);
  * f = hash function name (an OpenSSL name, e.g., `sha256');
  * h = base-64 encoded hash of the secret (using hash function `f');
  * i = index of this share (starting from 0); and
  * y = base-64 share data.

You can turn such a file of such lines into files suitable for
`gfcombine' like this:

	sed 's/^.*;i=\(.*\);y=\(.*\)$/\1 \2/' | 
	while read i sh; do
	  ix=$(printf %03d $((i + 1)))
	  echo $sh | openssl base64 -d >tmp/share.$ix
	done
Commit	Line	Data
53263601 MW	1	distorted.org.uk KEY MANAGEMENT
	2
	3	The various files are organized into subdirectories as follows.
	4
	5	infra/ Infrastructure keys used to keep this system going.
	6	recov/
	7
	8	File extensions used are as follows.
	9
	10	.pub Seccure public key. (See description of Seccure data
	11	formats below.)
	12
	13	.recov Seccure ciphertext of key
	14
	15
	16
	17	recov.pub `seccure' public key for recovery
	18
	19	krb5-master Kerberos master password
	20	bkp-LABEL LUKS keyfile for backup volume LABEL
	21	disk-HOST LUKS keyfile for HOST's disk
	22
	23	keys/
	24	\|- keeper/
	25	\| '- KEEPER/
	26	\| \|- meta
	27	\| '- I.pub
	28	\|- key/
	29	\| '- ???
	30	'- recov/
	31	'- RECOV/
	32	\|- keepers
	33	\|- current@
	34	'- I/
	35	\|- pub
	36	\|- KEEPER.param
	37	\|- KEEPER.I.share
	38	'- SECRET.recov
	39
	40
	41	* Reference
	42
	43	** Asymmetric cryptography
	44
	45	I've used B. Poettering's Seccure package for my asymmetric
	46	cryptography. It's been in Debian for a fair while and seems sane. If
	47	you're interested in what it does, I wrote my own implementation in
	48	Python. It seems pretty sensible, actually. It uses ECIES with AES
	49	in counter mode, and SHA256-HMAC for asymmetric encryption, and a
	50	variant of ECDSA with SHA512 for signatures.
	51
	52	Seccure wants to read a single line of stuff as a passphrase. I use
	53	this rune to generate a public key.
	54
	55	dd if=/dev/random of=master bs=1 count=512 \|
	56	openssl sha384 -binary >priv
	57
	58	To derive the public key, I say this:
	59
	60	openssl base64 -in priv \| seccure-key -q -F/dev/stdin -cp256 >pub
	61
	62	For encryption, I use a 128-bit MAC. For decryption, you need this rune.
	63
	64	openssl base64 -in priv \|
65	seccure-decrypt -q -F/dev/stdin -m128 ciphertext
66
67	** Secret sharing
68
69	I've written my own tool for doing Shamir secret sharing. The
70	underlying machinery is compatible with Daniel Silverstone's `gfshare'
71	program and my Catacomb library's secret sharing. My `shamir' program
72	has a number of important differences:
73
74	* it produces output as plain text files which can be transported
75	easily and so on;
76
77	* it includes metadata, such as the number of shares, the threshold,
78	and a hash of the final secret, along with the share data;
79
80	* it stores the share index with the share data too, rather than
81	encoding it in the file name where it's likely to be lost; and
82
83	* it doesn't choose random share indices when issuing shares,
84	because that's pointless.
85
86	The `shamir issue' command writes one line for each share that it
87	produces. I use this rune to split them into separate files.
88
89	shamir issue 3/5 master \|
90	sed 's/^.;i=\([^;]\);/\1 &/' \|
91	while read i share; do
92	echo $share >master.$i
93	done
94
95	You can recover the original secret by feeding shares, one per line,
96	into `shamir recover'. All of the parameters are in the share data,
97	so you don't need to know any of them. (I used the defaults anyway,
98	since I carefully chose them to match what I wanted.)
99
100	A share line has the following format:
101
102	shamir-share:KEY=VALUE;KEY=VALUE;...
103
104	where the following keys are defined (they must appear in this order):
105
106	* n = total number of shares issued;
107	* t = threshold (i.e., number of shares needed for recovery);
108	* f = hash function name (an OpenSSL name, e.g., `sha256');
109	* h = base-64 encoded hash of the secret (using hash function `f');
110	* i = index of this share (starting from 0); and
111	* y = base-64 share data.
112
113	You can turn such a file of such lines into files suitable for
114	`gfcombine' like this:
115
116	sed 's/^.;i=\(.\);y=\(.*\)$/\1 \2/' \|
117	while read i sh; do
118	ix=$(printf %03d $((i + 1)))
119	echo $sh \| openssl base64 -d >tmp/share.$ix
120	done