In situations where a group of participants join together to split up a secret in a form of secret sharing, where the secret is devided into parts, giving each participant their own unique part. Together contributing to reconstruct the initial secret. We can achieve this with Shamir’s Secret Sharing which is an algorithm in cryptography created by Adi Shamir.
More info on Secret Sharing
Referenced from Wikipedia: Secret Sharing:
“Secret sharing (also called secret splitting) refers to methods for distributing a secret amongst a group of participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a sufficient number, of possibly different types, of shares are combined together; individual shares are of no use on their own.”
Installing ssss
On Mac OSX:
1
|
|
On Debian:
1
|
|
Creating a Secret:
Generate a Secret where we will distribute 5 shares, where each participant will have their own unique share, and to reconstruct the secret, we will need 3 participants to rebuild the secret. In our case our shares will be distributed to the following example users:
1 2 3 4 5 |
|
For this demonstration our secret’s value will be SuperSecret@123!
, which we will split into 5 shares, but to reconstruct, we need 3 parts / shares:
1 2 3 4 5 6 7 8 |
|
In this case, each share will be distributed to each user to save in a secure location.
Reconstructing the Secret:
Let’s reconstruct the secret, and as we need 3 participants, we will ask John
, Paul
and Ryan
for their shares, so that we can reconstruct the secret:
1 2 3 4 5 6 |
|
As you can see the secret is verified the same as the initial secret.
Using ssss and qrencode for MFA Codes
This can be useful for Multi Factor Authentication as well. Setup a Virtual MFA with a Identity that supports MFA Authentication, copy or make note of the “Secret Key / Secret Configuration Key”, go ahead and setup the MFA Device on your MFA Device to complete the setup.
Once verified and able to logon, logout and delete the MFA Account from your Device.
Generate the same share scheme for the MFA Secret Key, for this example: ABCDEXAMPLE1029384756
:
1 2 3 4 5 6 7 8 |
|
Distribute the Shares, and when the MFA Device needs to be restored on a Device, reconstruct the secret to get the Secret Key for the MFA Device:
1 2 3 4 5 6 |
|
Now that we have the Secret Key for our MFA Device, let’s Generate a QRCode that we can scan in from our device, which will save us from typing a lot of characters. We will need qrencode
for this:
For Mac OSX:
1
|
|
for Debian:
1
|
|
To generate the QRCode, we will pass the filename: myqrcode.png
, the name that will appear on our device: MyNewMFADevice
, and the Secret: ABCDEXAMPLE1029384756
:
1
|
|
You will find the myqrcode.png
in your current working directory, open the file scan the barcode and your MFA device will be setup and enabled to use.