Mailing List Archive

Split private key in order to share among users
The original PGP used to have this feature around 20 years ago already,
maybe some people remember. In the list archive I found two threads,
both several years old, asking about this feature in GnuPG, but there
were no conclusive answers, only workaround suggestions like to split
the binary or ASCII key file or print the password and share parts of
the passwords, neither of which satisfy the original requirements
covered by the original PGP functionality. Example:

I split a private key file with PGP into these shares:
-- User A gets a piece of key worth 2 shares.
-- User B gets a piece of key worth 2 shares.
-- User C gets a piece of key worth 1 share.
-- User D gets a piece of key worth 1 share.
-- User E gets a piece of key worth 1 share.
-- User F gets a piece of key worth 1 share.

I define that at least 5 shares are necessary to re-assemble a valid
decryption key, i.e. we need for example
-- A + B + one other user
-- C + D + E + either A or B
for decryption.

I.e. neither the 4 minor nor the 2 major users alone can decrypt, we
need at least 3 of 6 users and a majority of shares in order to decrypt.
I remember I used to use this in the past and it worked flawlessly. I
have no idea why this killer feature was omitted when implementing
GnuPG. But maybe I am missing something in the documentation. If anyone
knows how to do this using GnuPG or an alternative open source product,
I would like to hear about it. Please do not suggest inadequate
workarounds like the ones I mentioned above and which previously have
been discussed here yet.

Regards
--
Alexander Kriegisch
https://scrum-master.de

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Split private key in order to share among users [ In reply to ]
I believe you're talking about an implementation of Shamir's Secret Sharing Scheme. http://point-at-infinity.org/ssss/ should do what you want.

- Chiraag
--
?????? ??????
Pronouns: he/him/his
Re: Split private key in order to share among users [ In reply to ]
> On 20 Dec 2020, at 09:19, Alexander Kriegisch <alexander@kriegisch.name> wrote:
>
> ?The original PGP used to have this feature around 20 years ago already,
> maybe some people remember. In the list archive I found two threads,
> both several years old, asking about this feature in GnuPG, but there
> were no conclusive answers, only workaround suggestions like to split
> the binary or ASCII key file or print the password and share parts of
> the passwords, neither of which satisfy the original requirements
> covered by the original PGP functionality. Example:
>
> I split a private key file with PGP into these shares:
> -- User A gets a piece of key worth 2 shares.
> -- User B gets a piece of key worth 2 shares.
> -- User C gets a piece of key worth 1 share.
> -- User D gets a piece of key worth 1 share.
> -- User E gets a piece of key worth 1 share.
> -- User F gets a piece of key worth 1 share.
>
> I define that at least 5 shares are necessary to re-assemble a valid
> decryption key, i.e. we need for example
> -- A + B + one other user
> -- C + D + E + either A or B
> for decryption.
>

You’re referring to Shamir’s secret sharing scheme, for which several implementations exist. If you are using Linux, it should be as simple as installing the “ssss” package.

A
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Split private key in order to share among users [ In reply to ]
Thanks for the hint. Without searching the Web just yet in between two calls, do you happen to know of any option for Windows users? Regards -- Alexander Kriegisch
-------- Ursprüngliche Nachricht --------Von: Andrew Gallagher <andrewg@andrewg.com> Datum: 20.12.20 17:11 (GMT+07:00) An: Alexander Kriegisch <alexander@kriegisch.name> Cc: gnupg-users@gnupg.org Betreff: Re: Split private key in order to share among users > On 20 Dec 2020, at 09:19, Alexander Kriegisch <alexander@kriegisch.name> wrote:> > ?The original PGP used to have this feature around 20 years ago already,> maybe some people remember. In the list archive I found two threads,> both several years old, asking about this feature in GnuPG, but there> were no conclusive answers, only workaround suggestions like to split> the binary or ASCII key file or print the password and share parts of> the passwords, neither of which satisfy the original requirements> covered by the original PGP functionality. Example:> > I split a private key file with PGP into these shares:>  -- User A gets a piece of key worth 2 shares.>  -- User B gets a piece of key worth 2 shares.>  -- User C gets a piece of key worth 1 share.>  -- User D gets a piece of key worth 1 share.>  -- User E gets a piece of key worth 1 share.>  -- User F gets a piece of key worth 1 share.> > I define that at least 5 shares are necessary to re-assemble a valid> decryption key, i.e. we need for example>  -- A + B + one other user>  -- C + D + E + either A or B> for decryption.> You’re referring to Shamir’s secret sharing scheme, for which several implementations exist. If you are using Linux, it should be as simple as installing the “ssss” package. A
Re: Split private key in order to share among users [ In reply to ]
On Sun, Dec 20, 2020 at 11:32 AM Alexander Kriegisch
<Alexander@kriegisch.name> wrote:
>
> Thanks for the hint. Without searching the Web just yet in between two calls, do you happen to know of any option for Windows users?

An option would be if you would install a modern programming language like
Google's Golang which then would allow you to easily cross-compile apps, say
you need for Windows, one of your friends needs for macOS and another one for
various Linux flavors.

https://golang.org/dl/

https://github.com/search?l=Go&q=shamirs+secret+sharing&type=Repositories

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Split private key in order to share among users [ In reply to ]
On Sun, Dec 20, 2020 at 1:51 PM Stefan Claas
<spam.trap.mailing.lists@gmail.com> wrote:
>
> On Sun, Dec 20, 2020 at 11:32 AM Alexander Kriegisch
> <Alexander@kriegisch.name> wrote:
> >
> > Thanks for the hint. Without searching the Web just yet in between two calls, do you happen to know of any option for Windows users?
>
> An option would be if you would install a modern programming language like
> Google's Golang which then would allow you to easily cross-compile apps, say
> you need for Windows, one of your friends needs for macOS and another one for
> various Linux flavors.
>
> https://golang.org/dl/
>
> https://github.com/search?l=Go&q=shamirs+secret+sharing&type=Repositories

And if you are a Windows 10 user you could additionally install from the
Microsoft Store WSL (Windows Subsystem for Linux) so that you have
a bash shell, same as cmd.exe or Powershell and then could install
also Linux packages or with the Golang option use a script to cross-compile
for all platforms automatically. That way you have the best of all worlds. :-)

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Split private key in order to share among users [ In reply to ]
?????? ?????? schrieb am 20.12.2020 16:57 (GMT +07:00):

> I believe you're talking about an implementation of Shamir's Secret
> Sharing Scheme. http://point-at-infinity.org/ssss/ should do what you
> want.

Yes, that is exactly what I was looking for. I did some follow-up
reading. Thanks for the enlightening pointer and greetings to Karnataka
(I guess).

Stefan Claas schrieb am 20.12.2020 19:51 (GMT +07:00):

> An option would be if you would install a modern programming language
> like Google's Golang which then would allow you to easily
> cross-compile apps (...)
>
> https://github.com/search?l=Go&q=shamirs+secret+sharing&type=Repositories
>
> And if you are a Windows 10 user you could additionally install from
> the Microsoft Store WSL (Windows Subsystem for Linux) so that you have
> a bash shell, same as cmd.exe or Powershell and then could install
> also Linux packages or with the Golang option use a script to
> cross-compile for all platforms automatically. That way you have the
> best of all worlds. :-)

Thanks for the helpful information. I have WSL installed already and
also know how to compile with MSYS2 or Cygwin. Cross-compilation I know
from old times when I was using it in my Freetz project (Fritz!Box DSL
router firmware cross-compilation).

Instead of starting with Go and compiling native applications I took the
easy route and searched GitHub for Java packages. This one works nicely
and has a library as well as a CLI artifact available on Maven Central:

https://github.com/secretsharing/secretsharing

Cheers
--
Alexander Kriegisch
https://scrum-master.de

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Split private key in order to share among users [ In reply to ]
On Mon, Dec 21, 2020 at 1:54 AM Alexander Kriegisch
<alexander@kriegisch.name> wrote:

> Thanks for the helpful information. I have WSL installed already and
> also know how to compile with MSYS2 or Cygwin. Cross-compilation I know
> from old times when I was using it in my Freetz project (Fritz!Box DSL
> router firmware cross-compilation).
>
> Instead of starting with Go and compiling native applications I took the
> easy route and searched GitHub for Java packages. This one works nicely
> and has a library as well as a CLI artifact available on Maven Central:

Cool, glad that you have found a soulution.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users