systemd icon indicating copy to clipboard operation
systemd copied to clipboard

Published 20 hours ago verified publisher icon systemd

Shamir's Secret Sharing on any enrollment method

Open nbouchinet-anssi opened this issue 3 years ago • 10 comments

Describe the solution you'd like I've seen multiple issues that asks for a way to combine secrets, like those two: https://github.com/systemd/systemd/issues/20936 and https://github.com/systemd/systemd/issues/19229

I'm currently working on a patch that might address this problem. The patch is intended to bring Shamir's Secret Sharing to the systemd-cryptenroll and systemd-cryptsetup code in order to combine any kind of current secret enrollment methods.

This patch will also make it possible to combine multiple same enrollment methods like for exemple TPM2 + FIDO2 Token 1 + FIDO2 Token 2.

Describe alternatives you've considered Aside from this patch, I first implemented a small Proof of Concept which combine FIDO2-HMAC derivation using a TPM2 sealed seed to get my hands on the systemd code without Shamir's Secret Sharing, but i'm note satisfied with this method as it only permits a combination of TPM2 + FIDO2.

The systemd version you checked that didn't have the feature you are asking for 249

nbouchinet-anssi avatar Oct 22 '21 12:10 nbouchinet-anssi

Hmm, what's the precise usecase here? I mean, can see why one might combine a TPM2 device and a FIDO2 device. But SSSS is way over the top for that afaics. i.e. it allows n-out-of-m unlocking, but that's only worth it if n >= 2 and m is kinda "large". As long as it's just allowing two or so it's simple enough to combine them trivially and just enroll multiple combinations, no. So, do you really intend to use like 7 FIDO keys of which any 3 should suffice to unlock a volume? That sounds like an awfully artificial scenario to me though.

Note that right now we don't even treat multiple FIDO2 keys nicely, because we can't recognize them, hence we don't know which question to ask them. There's some ideas what to do about that in #19208. Before SSSS or any other combinatorial unlocking can be implemented we really have to fix that part first...

poettering avatar Oct 26 '21 17:10 poettering

What I'd like to see in systemd is a flexible factor-combination, the Shamir's Secret Sharing idea was an attempt to address more use-cases in a single shot. The generic SSSS use-case idea was an encrypted volume containing sensitive data that should only be unlocked if n/m users are reunited, in case of missing people.

I'm still ready to implement a factor-combination for systemd-crypt{setup,enroll} and thus help for the https://github.com/systemd/systemd/issues/19208 issue.

Do you have an idea for the factor-combination implementation in mind that I should start with or shall I propose one ?

nbouchinet-anssi avatar Oct 27 '21 13:10 nbouchinet-anssi

I would very much welcome a factor combination/shared secret like SSSS. Is there something planned or in development?

Because at the moment I'm using FIDO2 (with PIN and Fingerprint), but am still vulnerable about firmware issues and dependent on vendor trust.. This would be minimized, if we can share the secret.

j5k avatar Mar 30 '22 07:03 j5k

Hy, I have a working POC on my github repo, still have to clean up the code and add some tests but you can try it if you want. Feel free to open an issue on my repo !

nbouchinet-anssi avatar Apr 05 '22 14:04 nbouchinet-anssi

I have another use case, which is unlocking a LUKS partition with : the TPM (required) + 1 out of 3 fido2 (can lost up to two keys).

I intended to use shamir secret with https://github.com/latchset/clevis/ , but it does not support FIDO2 tokens.

@nbouchinet-anssi I'll check your branch if I get the time :+1:

VannTen avatar Jun 05 '22 10:06 VannTen

Any news on this in the meantime?

j5k avatar Jun 05 '23 09:06 j5k

Hello @j5k, I stopped my work on the PR for a long time, so this is quite old code, a far cry from the new state of upstream code. The PR is still a work in progress and needs a rebase and a huge refactor on which I will work on soon I hope.

nbouchinet-anssi avatar Jul 21 '23 13:07 nbouchinet-anssi

That would be very nice! Thank you @nbouchinet-anssi !

j5k avatar Jul 21 '23 13:07 j5k

I have another use case, which is unlocking a LUKS partition with : the TPM (required) + 1 out of 3 fido2 (can lost up to two keys).

I intended to use shamir secret with https://github.com/latchset/clevis/ , but it does not support FIDO2 tokens.

@nbouchinet-anssi I'll check your branch if I get the time 👍

You could do that (assuming a more trivial option to combine only 2 factors is added) by just enrolling the TPM + each of the keys as 3 separate combinations (3 LUKS keyslots).

m00nwtchr avatar May 01 '24 17:05 m00nwtchr

I've just read updates on https://github.com/systemd/systemd/issues/20936. It's been quite some time I've written this patch and now that I have a deeper understanding of TCG specs I join those who claim SSS is bloated for combining TPM and another factor. Before writing this patch I've also wrote another POC without SSS that permits combining TPM and any other systemd's supported factor. Like @m00nwtchr said, combined to multiple keyslot enrolling would result to @VannTen usecase.

I'd be glad to help implementing something like this, either using TSS policy combination capabilities or a home made one.

nbouchinet-anssi avatar May 02 '24 11:05 nbouchinet-anssi