Score:1

Crypto

Why don't basically all "clusters" and similar distributed systems use Shamir's secret sharing method?

Sir Muffington

8/22/24, 4:26 PM

When I came to the topic of Ansible (Vault), when deploying secrets in Ansible and other passwords up to 128 characters Shamir's Secret Sharing would be an ideal solution I think:

The secret is never in one spot
The secret can be encrypted "on top"
You can place the parts of the secrets on multiple servers with good redundancy
No one server has all the credentials and you need the network connection

My first question would be:

Is Shamir's secret sharing secure nowadays? It was removed from the Tails OS in 2019.
If so, why isn't something along these lines is implemented in more software that is cluster based for Secrets i.e. SIEM solutions like Elastic, Splunk, qRadar etc.

1 + 5

passwords

secret-sharing

Steffen Ullrich

8/22/24, 4:38 PM

*"If so, why isn't something along these lines is implemented in Ansible Vault?"* - This is a product decision, so ask the developers (i.e. wrong place here). But it is [used in other products](https://developer.hashicorp.com/vault/docs/concepts/seal). As for still being safe - please ask at [crypto.se].

Sir Muffington

8/22/24, 4:42 PM

@SteffenUllrich should I rephrase the question so that general implementations are not often and why is that so?

Steffen Ullrich

8/22/24, 4:46 PM

*"should I rephrase the question ..."* - depends on what you want to know. Is this about products which offer some form of secret sharing, but using different methods then Shamir's secret sharing -> provide the details of what is used instead when rephrasing the question. If it is about products not providing any secret sharing at all -> this is a decision not to implement such a feature and is unrelated to the specific algorithm, so ask the product developers.

schroeder

8/23/24, 6:57 AM

As you can see in the link, Tails removed it for being unpopular, and it is still available in the distro.

Command Master

8/23/24, 7:19 AM

Shamir's secret sharing is provably information-theoretically secure — even an unbounded adversary can't learn anything about the secret if he doesn't have enough shares

Score:4

Crypto

fgrieu

8/23/24, 10:27 AM

The secret is never in one spot

No. In pure Shamir secret sharing, when the secret is initially built, and when it is rebuilt and used, it's in one spot. See comments for why this can be remedied, at least in part.

Is Shamir's secret sharing secure nowadays?

Yes, for what it does: before the threshold of shares is met, nothing can be learned about the secret. As noted in comment, that's against arbitrarily powerful adversaries, thus technological progress like hypothetical Cryptographically Relevant Quantum Computer won't change that.

Why isn't something along these lines implemented in more software

Shamir Secret Sharing is good for keys that are at rest. For actively used keys, it adds complexity, and does not help against the elephant in the room: IT struggles at insuring that no rogue software has access to the secret when rebuilt and being used. Use a trojanised machine to rebuild and use the secret, and poof goes security.

+ 5

poncho

8/23/24, 1:44 PM

Note that we don't always have to explicitly recombine the shared secret to use it. One example is if we're evaluating the shared secret via a one-way function $f_x$ with the property $f_x(a+b+...+z) = f_x(a) \star f_x(b) \star ... \star f_x(z)$ (for some computable operation $\star$). That may sound like a weird case; however point multiplication of the point $x$ by the shared secret is exactly that.

fgrieu

8/23/24, 2:09 PM

@poncho: that works fine for $n$ out of $n$ secret sharing. But for general $n$ out of $m$ Shamir secret sharing, $1<n<m$, that might be harder to pull.

Aman Grewal

8/23/24, 5:35 PM

Depending on the use case, it's also possible to not need to have the secret initially either. For example, dealer-less threshold signature schemes exist.

poncho

8/23/24, 6:16 PM

Actually, that works just fine for $(n, m)$ Shamir secret sharing; the recombination formula for the shares $(x_0, y_0), (x_1, y_1), ..., (x_n, y_n)$ is $secret := L_0y_0 + L_1y_1 + ... + L_ny_n$, where $L_i$ are the Lagrangian interpolation values that can be computed from the public $x$ shares. So, we have share holder $i$ privately compute $f_x( L_iy_i)$ and then do a public recombination of the results. This does imply that each of the share holders know who are all the other share holders cooperating with the recombination (to compute $L_i$), that is typically not considered secret

Marc Ilunga

8/24/24, 6:53 AM

For threshold schemes like FROST, reconstruction of the secret is also not needed. Plus, using a DKG scheme also ensures no single party the key is not know at generation time. But this is naturally not possible (efficient) for all uses cases

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why don't basically all "clusters" and similar distributed systems use Shamir's secret sharing method?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.