Cryptographic security rules ?
Opened this issue · 8 comments
Hello,
Your Shamir secret sharing code around meet the cryptographic security rules ?
Some details like : integrity checks and side-channel resistance
Recommandations :
*Be side channel resistant (timing, branch, cache)
*Secure the shared secret with a MAC
*Use the platform (OS) randomness source
**These slip-ups can often fully compromise the security of the scheme.
Please let me know !
Thanks.
This tool uses the library https://github.com/amper5and/secrets.js
That library has been improved by https://github.com/grempe/secrets.js so I will look into upgrading it here.
- side channels - no explicit work done on this, any suggestions?
- no MAC but it can be done as a second step using another tool
- uses secure randomness and alerts the user if not available (see secrets.js:L103)
Thank you for you reply.
Why this secure shared secret with a MAC, could not be implement directly in this source code?
It would be great if you could inspire you and implement in javascript, other sharing schemes as in this project:
https://github.com/Qbicz/multi-secret-sharing
Implemented and ready-to-use multi secrets sharing schemes are:
Roy-Adhikari
Lin-Yeh
Herranz-Ruiz-Saez.
And this :
https://github.com/brndnmtthws/seed-otp
This is Trezor Implementation:
https://github.com/trezor/python-shamir-mnemonic/
Feel free to use those tools instead. I wrote this one as a way to use https://github.com/amper5and/secrets.js since there was no demo app for it. I think you're looking for something different to this tool. If you have specific suggestions or pull requests that'd be great.
I like SLIP-0039 and have recommended it as the preferred alternative to my other secret sharing project for mnemonics called shamir39.
Where can I find an implementation of "SLIP-0039" without dependencies (python), as a simple "standalone.html" file, like yours?
If it does not exist, can you do this conversion?
Thanks.
I don't know of any web-based implementations of slip-0039. Would be a good project.