-
Notifications
You must be signed in to change notification settings - Fork 24
/
ssss.manpage.xml
185 lines (154 loc) · 5.41 KB
/
ssss.manpage.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
<?xml version="1.0" standalone='no'?>
<!DOCTYPE manpage SYSTEM "http://masqmail.cx/xmltoman/xmltoman.dtd">
<?xml-stylesheet type="text/xsl"
href="http://masqmail.cx/xmltoman/xmltoman.xsl" ?>
<manpage name="ssss" section="1"
desc="Split and Combine Secrets using Shamir's Secret Sharing Scheme.">
<synopsis>
<cmd>ssss-split -t <arg>threshold</arg> -n <arg>shares</arg> [-w <arg>token</arg>]
[-s <arg>level</arg>] [-r] [-x] [-q] [-Q] [-D] [-v]</cmd>
<cmd>ssss-combine -t <arg>threshold</arg> [-r -n <arg>shares</arg>]
[-x] [-q] [-Q] [-D] [-v]</cmd>
</synopsis>
<description>
<p>ssss is an implementation of Shamir's Secret Sharing Scheme. The
program suite does both: the generation of shares for a known secret,
and the reconstruction of a secret using user-provided shares.</p>
</description>
<section name ="Commands">
<p><opt>ssss-split</opt>: prompt the user for a secret and generate a set of
corresponding shares.</p>
<p><opt>ssss-combine</opt>: read in a set of shares and reconstruct
the secret.</p>
</section>
<options>
<option>
<p><opt>-t <arg>threshold</arg></opt></p> <optdesc>
<p>Specify the number of
shares necessary to reconstruct the secret.</p></optdesc>
</option>
<option>
<p><opt>-n <arg>shares</arg></opt></p>
<optdesc>
<p>Specify the number of shares to be generated.</p>
</optdesc>
</option>
<option><p><opt>-M</opt></p>
<optdesc>
<p>Require a successful memory lock in order to proceed, and
terminate if one was not obtained. Option is not available if the code
was compiled with NOMLOCK.</p>
</optdesc>
</option>
<option><p><opt>-w <arg>token</arg></opt></p>
<optdesc>
<p>Text token to name shares in order to avoid confusion in case one
utilizes secret sharing to protect several independent secrets. The
generated shares are prefixed by these tokens.</p>
</optdesc>
</option>
<option><p><opt>-s <arg>level</arg></opt></p>
<optdesc>
<p>Enforce the scheme's security level (in bits). This option
implies an upper bound for the length of the shared secret
(shorter secrets are padded). Only multiples of 8 in the range
from 8 to 1024 are allowed. If this option is ommitted (or the
value given is 0) the security level is chosen automatically
depending on the secret's length. The security level directly
determines the length of the shares.</p>
</optdesc>
</option>
<option><p><opt>-r</opt></p>
<optdesc>
<p>Recovery mode: <opt>ssss-combine</opt> reads in a set of <arg>t</arg>
shares and reconstruct <arg>n</arg> shares again. <opt>ssss-split</opt>
doesn't generate shares randomly, but asks the secret and <arg>t</arg> -
1 shares (secret is treated here as a share). Usable to recover
forgotten shares.</p>
</optdesc>
</option>
<option><p><opt>-x</opt></p>
<optdesc>
<p>Hex mode: use hexadecimal digits in place of ASCII characters for
I/O. This is useful if one wants to protect binary data, like
block cipher keys.</p>
</optdesc>
</option>
<option><p><opt>-q</opt></p>
<optdesc>
<p>Quiet mode: disable all unnecessary output. Useful in scripts.
</p>
</optdesc>
</option>
<option><p><opt>-Q</opt></p>
<optdesc>
<p>Extra quiet mode: like <opt>-q</opt>, but also suppress
warnings.</p>
</optdesc>
</option>
<option><p><opt>-D</opt></p>
<optdesc>
<p>Disable the diffusion layer added in version 0.2. This option
is needed when shares are combined that were generated with
ssss version 0.1.</p>
</optdesc>
</option>
<option><p><opt>-v</opt></p>
<optdesc>
<p>Print version information.</p>
</optdesc>
</option>
</options>
<section name="Example">
<p>
In case you want to protect your login password with a set of ten
shares in such a way that any three of them can reconstruct the
password, you simply run the command
</p>
<p>
ssss-split -t 3 -n 10 -w passwd
</p>
<p>
To reconstruct the password pass three of the generated shares
(in any order) to
</p>
<p>
ssss-combine -t 3
</p>
</section>
<section name="Notes">
<p>
To protect a secret larger than 1024 bits a hybrid technique has to be
applied: encrypt the secret with a block cipher and apply secret
sharing to just the key. Among others openssl and gpg can do the
encryption part:
</p>
<p>
openssl bf -e < file.plain > file.encrypted
</p>
<p>
gpg -c < file.plain > file.encrypted
</p>
</section>
<section name="Security">
<p>
<opt>ssss</opt> tries to lock its virtual address space into RAM for
privacy reasons. But this may fail for two reasons: either the current uid
doesn't permit page locking, or the RLIMIT_MEMLOCK is set too
low. After printing a warning message <opt>ssss</opt> will run even without
obtaining the desired mlock.
</p>
</section>
<section name="Author">
The original software (v0.5) was written in 2006 by B. Poettering
(ssss AT point-at-infinity.org). Find the newest version of
ssss on the project's homepage: <url
href="http://point-at-infinity.org/ssss/"/>.
The amended versions (v0.5.1+) were written between 2011..2020
by Jon D Frisby (jfrisby AT mrjoy.com). Find the newest version on
github: <url href="https://github.com/MrJoy/ssss"/>.
</section>
<section name="Further reading">
<url href="http://en.wikipedia.org/wiki/Secret_sharing"/>
</section>
</manpage>