Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cryptographic security rules ? #3

Open
prodnet opened this issue Mar 30, 2019 · 8 comments
Open

Cryptographic security rules ? #3

prodnet opened this issue Mar 30, 2019 · 8 comments

Comments

@prodnet
Copy link

prodnet commented Mar 30, 2019

Hello,

Your Shamir secret sharing code around meet the cryptographic security rules ?
Some details like : integrity checks and side-channel resistance

Recommandations :

*Be side channel resistant (timing, branch, cache)
*Secure the shared secret with a MAC
*Use the platform (OS) randomness source

**These slip-ups can often fully compromise the security of the scheme.
@prodnet
Copy link
Author

prodnet commented Apr 2, 2019

Please let me know !
Thanks.

@iancoleman
Copy link
Owner

This tool uses the library https://github.com/amper5and/secrets.js

That library has been improved by https://github.com/grempe/secrets.js so I will look into upgrading it here.

  • side channels - no explicit work done on this, any suggestions?
  • no MAC but it can be done as a second step using another tool
  • uses secure randomness and alerts the user if not available (see secrets.js:L103)

@prodnet
Copy link
Author

prodnet commented Apr 3, 2019

Thank you for you reply.

Why this secure shared secret with a MAC, could not be implement directly in this source code?

It would be great if you could inspire you and implement in javascript, other sharing schemes as in this project:

https://github.com/Qbicz/multi-secret-sharing
Implemented and ready-to-use multi secrets sharing schemes are:

Roy-Adhikari
Lin-Yeh
Herranz-Ruiz-Saez.

@prodnet
Copy link
Author

prodnet commented Apr 3, 2019

And this :
https://github.com/brndnmtthws/seed-otp

@prodnet
Copy link
Author

prodnet commented Apr 3, 2019

This is Trezor Implementation:
https://github.com/trezor/python-shamir-mnemonic/

@iancoleman
Copy link
Owner

Feel free to use those tools instead. I wrote this one as a way to use https://github.com/amper5and/secrets.js since there was no demo app for it. I think you're looking for something different to this tool. If you have specific suggestions or pull requests that'd be great.

I like SLIP-0039 and have recommended it as the preferred alternative to my other secret sharing project for mnemonics called shamir39.

@prodnet
Copy link
Author

prodnet commented Apr 4, 2019

Where can I find an implementation of "SLIP-0039" without dependencies (python), as a simple "standalone.html" file, like yours?
If it does not exist, can you do this conversion?
Thanks.

@iancoleman
Copy link
Owner

I don't know of any web-based implementations of slip-0039. Would be a good project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iancoleman @prodnet