Skip to content

itslab-kyushu/sss

Repository files navigation

Shamir's Threshold Secret Sharing

GPLv3 CircleCI wercker status Release Dockerhub MicroBadger GoDoc

This software provides a Go library implementing a Secret Sharing scheme, a command line tool which distributes and reconstructs your secret files, and a client/server datastore service.

This software has been made for comparing performance of secret sharing based key-value storages in the following article:

Please consider to refer it, if you will publish any articles using this software.

Installation

Go library

If you are only interested in our secret sharing library for Go,

$ go get -d github.com/itslab-kyushu/sss

Client/Server application

If you are interested in our client/server application, compiled binaries of them are available on Github. After downloading a binary to your environment, decompress and put it in a path included in $PATH.

If you're a Homebrew user, you can install the client application by

$ brew tap itslab-kyushu/sss
$ brew install sss

You can also compile by yourself. First, you need to download the code base:

$ git clone https://github.com/itslab-kyushu/sss $GOPATH/src/itslab-kyushu/sss

Then, build client command sss:

$ cd $GOPATH/src/itslab-kyushu/sss/client
$ go get -d -t -v .
$ go build -o sss

and build server command sss-server:

$ cd $GOPATH/src/itslab-kyushu/sss/server
$ go get -d -t -v .
$ go build -o sss-server

To build both commands, Go > 1.7.4 is required.

Server application as a Docker image

We have a docker image itslabq/sss which includes a compiled binary of the server application.

Docker

Containers created from this image exposes port 13009 and a volume /data where all uploaded data will be stored.

To run this server image;

$ docker run -d --name sss-server -p 13009:13009 -v $(pwd)/data:/data itslabq/sss

The above command mounts ./data to /data in the container so that all data are store in ./data.

Client Usage

The client application provides two way to run the threshold Secret Sharing scheme (SSS). One of them is local mode, which stores shares into a local file system. The other one is remote mode, which stores shares into servers provided the server command.

Local mode

The local mode provides two sub commands, distribute and reconstruct. Distribute command reads a file and creates a set of shares, on the other hand, reconstruct command reads a set of shares and reconstructs the original file.

Distribute

$ sss local distribute <file> <number of shares> <threshold>

It produces share files and the file name of i-th share has .i.xz as the suffix.

Reconstruct

$ sss local reconstruct <file>...

It produces a file based on the given share's file name by removing the above suffix.

Remote mode

Remote mode provides four sub command: get, put, delete, and list. All commands take a YAML based server configuration file. The format is as follows:

servers:
  - address: 192.168.0.1
    port: 13009
  - address: 192.168.0.2
    port: 13009
  - address: 192.168.1.1
    port: 13009

The above example defines three servers.

The get command gathers shares from the servers defined the configuration file, and put command distributes shares to the servers.

The default name of the configuration file is sss.yml but you can set another name via --config flag.

Get

sss remote get --config sss.yml --output result.dat <file name>

Get command gathers shares associated with the given file name from the servers defined in the configuration file, and then reconstructs and stores them as the given file name via --output flag.

If --config flag is omitted, sss.yml is used, and if --output flag is omitted, <file name> is used.

To find available file names, use list command.

The number of groups and the number of total servers must be greater then or equal to the group threshold and the data threshold, which are given when those shares were created.

Put

sss remote put --config sss.yml <file> <threshold>

Put command reads the given file and runs distribute procedure to create shares. The threshold is a parameter of SSS. The number of total shares are as same as defined in the server configuration file.

If --config flag is omitted, sss.yml is used.

Put command also takes --chunk flag to set the byte size of each chunk. The default value is 256. The distribute procedure creates a finite filed Z/pZ, where p is a prime number which has chunk size + 1 bit length.

Delete

sss remote delete --config sss.yml <file name>

Delete command deletes all shares associated with the given file name from all servers defined in the configuration file.

If --config flag is omitted, sss.yml is used.

List

sss remote list --config sss.yml

List command shows all file names stored in the servers. If --config flag is omitted, sss.yml is used.

Server Usage

The server application runs a simple data store service using SSS.

It takes three flags,

  • --port: the port number the server will listen,
  • --root: the document root path to store uploaded shares,
  • --no-compress: if set, all shares will be stored without compression.

If those flags are omitted, default values are used. Thus, you can start a server by just run sss-server.

Library Usage

See godoc.

License

This software is released under The GNU General Public License Version 3, see COPYING for more detail.