How to split a private key to create a "shared secret" and secure your XRP in the event of death/theft/natural disaster/etc. using Shamir's Secret Sharing Scheme

[gray]

This is going to be one of the problems I try to solve in the wallet app I'm developing... in the mean time, here's a little guide on how to split and make a shared secret of a wallet (private key) using Shamir's Secret Sharing Scheme.

What we will be doing here is creating a set of files that can be re-assembled to recover your private key if you forget it or lose it, if the copy you have is destroyed by a natural disaster, or if you die and you want family or someone else to be able to recover your funds. The way this works is you will make a number of files, N, of which a threshold number, T, of those files must be reassembled in order to recover the original password. If any less than that number are  reassembled then you will know nothing about the original file, in our case the private key. 

First, you need to have a trusted computer that runs linux and has ssss installed. The easiest/best way to do this, IMO, is to grab a couple of USB keys and install Tails on one of them. They have an excellent guide on how to install it here: https://tails.boum.org/install/index.en.html

Next, boot into tails and disable the internet by pulling the ethernet plug or disabling wifi in Tails itself. Then you can introduce your private key that you want to split by either having it copied on another flash drive you plug in or simply typing it in from a piece of paper or similar. Have a rigorously checked-for-typos copy of it in a text file. Then open up a terminal window.

To split the key we will use the command ssss-split. Issue the command as below (the $ is not part of the command; it just represents the beginning of the terminal prompt), replacing the number after -t with how many shares you want to require in order to re-assemble the password, and the number after -n with how many shares to generate total:

$ ssss-split -t 6 -n 10

This will create 10 shares, with 6 required to reassemble the secret. You will then be prompted to

Enter the secret, at most 128 ASCII characters:

At which point you will want to paste in or type in the private key you want to encrypt. It will give you an output that looks something like this:

01-4b9a7ffdb35b1029ccca991e367e37a9de0bac675ac90b04321879318b8446ec9796ac301e4b6c30512b8d337b56a7589089fa160256339868f4eeb3ddefcc29fc41 
02-fe5bfdec37dba02ee0d3740d615f36bb6c3789f03fd20ba2b513f828ee1a34b5504ecb7499bab9d62dfb537989b9aec4572c8f1d4c0531b5b0c9bdcb02bb 
03-f6e63b213b729471e41b42317603072d2ba093af510314aa759ac0f5f43630216b2d6381b3a3ba3854b414fe61c69f812728edd15b996b978031308468270951fce9 
04-0fc4139f04eea838a39d54b6b9ad07296980cb76ca48c0dc1cc9c5401647171ae8a7b770097eceb1385a7acd4d95dc5eda40a9bf3789092be69282ac4f6f3df64601 
05-d10464bd05da3dd37bf035c7305bf24e467dba6e022b58d8655fd0c8961c09f037dfc848321cf7015ffb5b43dcd63043f06f22186bc3e7806b96261c65ab2062d8bf 
06-e7adf8a93cc974a3aeecc19c1b1ac8a70196017cfa017a6104026325abc881c0eb2b2db4d0f18b7f1c20a169d70b3bbcf16b8a2f7348759951e8d68805d8090bffcc 
07-1c94cd5ab39ae4709f14ed6960b3f7e35a1310cb232e01bda9e8dac30c0eb5d2e55377c32c152507a4e46f425682ad220edb20d31a54ef660b9b811a8b8560c8db04 
08-b1abe846c9af1bf9e781efdf88129007992772807a797637af2e0634aa55e0b28276542c9514c1fff2a9ef00d495dd673cacd7da578c39d3f3d1f332a69bbf262bd4 
09-63088deb5acd7995fc2ddbc3868a3dd71153b5d63ac40eb131f17299ed3dd3416ffe0ec2cc1fd4a907eb88c36aff1f513b14d099cfa8a5b54b66cba5efb96ca2ced2 
10-f92b3ba59f811549878d8a1a7ff89770cc0053d394d99c2a8b60b0d33b21d07f281b3a05aa673c9975ad7b82d52358c2b62d6236e47bd30ec9accac79d4f64183414

 

Each of these, including the numbers at the beginning, are the shares. To save them, you may simply store them in text files (that should be closely safeguarded and not touch the internet), write them down (write each down at least 3 times), or printed out. One way to make these files is by doing this for each share, copy/pasting the text of each share and incrementing the share number each time:

$ echo 01-4b9a7ffdb35b1029ccca991e367e37a9de0bac675ac90b04321879318b8446ec9796ac301e4b6c30512b8d337b56a7589089fa160256339868f4eeb3ddefcc29fc41 > share1.txt

 

You should then verify that the text contained in these files are correct. At this point, you should print each one out and store them in secure locations scattered around a large geographical area so that the likelihood that enough will be destroyed or lost at one time so that the threshold cannot be met is low. Distribute them to trusted people or family members, lawyers, bank vaults, etc. If you aren't yet ready to do so, you can save these files to a flash drive and distribute them later, but be VERY CAREFUL that they are never connected to a computer that is exposed to the internet, or a computer that you believe might be compromised. 

In order to reassemble the shares, issue the following command, replacing the number after -t with the number of required shares just as you did in the split process:

$ ssss-combine -t 6

 

It will then prompt you to enter the shares like so. The order does not matter:

Enter 6 shares separated by newlines: 
Share [1/6]: 10-f92b3ba59f811549878d8a1a7ff89770cc0053d394d99c2a8b60b0d33b21d07f281b3a05aa673c9975ad7b82d52358c2b62d6236e47bd30ec9accac79d4f64183414 
Share [2/6]: 06-e7adf8a93cc974a3aeecc19c1b1ac8a70196017cfa017a6104026325abc881c0eb2b2db4d0f18b7f1c20a169d70b3bbcf16b8a2f7348759951e8d68805d8090bffcc 
Share [3/6]: 05-d10464bd05da3dd37bf035c7305bf24e467dba6e022b58d8655fd0c8961c09f037dfc848321cf7015ffb5b43dcd63043f06f22186bc3e7806b96261c65ab2062d8bf 
Share [4/6]: 08-b1abe846c9af1bf9e781efdf88129007992772807a797637af2e0634aa55e0b28276542c9514c1fff2a9ef00d495dd673cacd7da578c39d3f3d1f332a69bbf262bd4 
Share [5/6]: 01-4b9a7ffdb35b1029ccca991e367e37a9de0bac675ac90b04321879318b8446ec9796ac301e4b6c30512b8d337b56a7589089fa160256339868f4eeb3ddefcc29fc41 
Share [6/6]: 04-0fc4139f04eea838a39d54b6b9ad07296980cb76ca48c0dc1cc9c5401647171ae8a7b770097eceb1385a7acd4d95dc5eda40a9bf3789092be69282ac4f6f3df64601 

Resulting secret: safari-create-pummel-theater-thermal-jolliness-charbroil-cathedral

 

You can try out how this process works at the ssss demo page here: http://point-at-infinity.org/ssss/demo.html but please do not use actual sensitive information on the web version. Just use it to make sure you understand how it works before doing it for real. 

Edited July 5, 2017 by gray
misspelled scheme

[T8493]

You can just use multi-sign which is natively supported on RCL.

You don't need any third-party tools for this. Shamir's secret sharing scheme is also pretty nonstandard and there is a chance that you won't be able to use these keys after longer period of time (e.g. because this tools won't be supported anymore or because they change serialization format).

 

 

 

 

[gray]

I agree that multi-sig is certainly an alternative and could be superior depending on your needs. However, it has the drawback of being much more difficult to configure and more difficult to trigger for parties that may try to multi-sign on your behalf in the future. 

I wouldn't be concerned with not being able to use these keys after a long period of time. Yes, they could update, but for a tool like this that is open source, has been around since 2006, and is included in several GNU/Linux distros and package managers, it will always be possible to get a copy, and, if it updates to where you can't use it (I would say this is quite unlikely as backwards compatibility at least for reassembling would seem like a high priority), you can always get an older version from one of the many backup repos that have copies.

[Trisky]

@gray Thanks for posting.

Older systems can't run the software it seems (comps appr. before 2008 | x32 systems). Good to mention I guess.

Wasn't aware of this software (Tails, was living under a rock or something) and I am impressed with it for it's security features. Do you recommend using LUKS for encrypting my USB drive (with crypto's)? I don't like the Nano's and so on and am looking for an alternative.

There is wipe software integrated. Why is this. What digital residu needs to be wiped (maybe you know)?
As far as I understand it, it's just an operating system on a stick with no intention of installing it onto a computer?!

 

[segra]

The built in multi-sign is sightly more configurable than this,

• Assign a total required weight (Quorum) for your account
• Assign a weight to each key added to your signer list

So you could set it up as

Required Weight: 3

Key1: Weight 3

Key2: Weight 1

Key3: Weight 1

Key4: Weight 1

 

Where you retain Key1, and give Key 2, 3, and 4 to 3 different lawyers.

Now unless they collude, you will be able to use your key to sign, and someone will be able to get the 3 keys after your demise to sign a transaction

[gray]

 

16 minutes ago, Ripplezzzz said:

@gray Thanks for posting.

Older systems can't run the software it seems (comps appr. before 2008 | x32 systems). Good to mention I guess.

 

5

Yes, it also doesn't work on ARM chips so no Raspberry Pi etc.

16 minutes ago, Ripplezzzz said:

Wasn't aware of this software (Tails, was living under a rock or something) and I am impressed with it for it's security features. Do you recommend using LUKS for encrypting my USB drive (with crypto's)? I don't like the Nano's and so on and am looking for an alternative.

5

Yes, I would recommend using LUKS to encrypt your drive. Make sure you're using a good password, though. I would also advise against storing them unencrypted even in a LUKS-encrypted drive, personally. 

16 minutes ago, Ripplezzzz said:

There is wipe software integrated. Why is this. What digital residu needs to be wiped (maybe you know)?

5

Basically, Tails is meant to be what's called fully "amnesiac." This means that it never modifies its own state or its host computer's state permanently. That means that it will never use the host computer's hard drive, even any swap space, and it also means that it automatically resets itself to its original state when it shuts down. However, when you "delete" something on a computer, it doesn't actually "delete" the data that was stored there, it simply tells the OS/kernel that that piece of storage is available to be overwritten with whatever other data that might want to be stored there. Therefore, if you just "delete" something, you're still leaving possibly a full copy or at least traces of whatever was there on whatever storage device is used. This could be bad for a number of reasons. Tails is built as an OS built specifically to protect anonymity and privacy, and some people that use it use it for illegal or very sensitive things that they don't want to be discovered. Therefore, to actually get rid of evidence of what was there, you use a piece of software that overwrites the area that was "deleted" with random data so that it can't be recovered. For storing cryptos, the main benefit of this is that if you download and verify the signature of tails and then install it onto a hard drive, you can be reasonably certain that that hard drive will be cleaned of malware every time you restart it.

16 minutes ago, Ripplezzzz said:

As far as I understand it, it's just an operating system on a stick with no intention of installing it onto a computer?!

 

5

Yep, pretty much. Because of the above-mentioned amnesiac nature of Tails, if you want to actually store anything you do while using it, you need to have another storage media (another flash drive, say) to save it onto since any data saved on the Tails volume will be permanently wiped.

16 minutes ago, Ripplezzzz said:

I don't like the Nano's and so on and am looking for an alternative.

5

I agree. So far I think that using deterministic wallets may be the best option. An idea I'm working on is to use BIP032 to make a wallet software that will be seeded from one key deterministically for as many wallets you want with any supported cryptocurrency. We'll see how that goes.

Until then, or if you want to use traditional storage of secret/private keys, I think one of the best options would be to buy a laptop that is supported well by Qubes OS to use as your "crypto laptop" and install Qubes OS on it. Then, store encrypted private keys on LUKS encrypted USB keys. Qubes will allow you to sandbox things in VMS so that you can ensure that your cold private keys (or anything else on the USB keys like malware that could have somehow managed to make it on them) will never, ever see internet access, and makes tasks that are usually a PITA like offline transaction signing much, much easier. However, installing and using Qubes is a bit of a challenge especially if you're not super tech savvy. Using tails as a replacement wouldn't be a bad alternative.

[gray]

6 minutes ago, segra said:

snip

 

You can do this with SSSS as well. Required weight = tolerance = 3. Total number of shares made = 6. You keep 3 for yourself and distribute the other 3 to 3 lawyers individually. Same result. Indeed, you could even do something like:

Tolerance = 3

Total number of shares = 8

Keep 5, distribute the 3.

Keep 3 of your keys on hand for immediate use. Put extras in bank vaults across the country. Now you're protected from parties losing access to their keys and you don't have to rely on all 3 lawyers in the case of you losing your 3 shares.

[Trisky]

Quote

Yes, I would recommend using LUKS to encrypt your drive. Make sure you're using a good password, though. I would also advise against storing them unencrypted even in a LUKS-encrypted drive, personally. 

Better safe than sorry for sure.

Quote

I agree. So far I think that using deterministic wallets may be the best option. An idea I'm working on is to use BIP032 to make a wallet software that will be seeded from one key deterministically for as many wallets you want with any supported cryptocurrency. We'll see how that goes.

Great stuff. Looking forward to that!

Quote

However, installing and using Qubes is a bit of a challenge especially if you're not super tech savvy. Using tails as a replacement wouldn't be a bad alternative.

Great info. Thanks again and good luck with your efforts. If you need any help (testing/graph. design), let me know.

[segra]

32 minutes ago, gray said:

You can do this with SSSS as well. Required weight = tolerance = 3. Total number of shares made = 6. You keep 3 for yourself and distribute the other 3 to 3 lawyers individually. Same result. Indeed, you could even do something like:

Tolerance = 3

Total number of shares = 8

Keep 5, distribute the 3.

Keep 3 of your keys on hand for immediate use. Put extras in bank vaults across the country. Now you're protected from parties losing access to their keys and you don't have to rely on all 3 lawyers in the case of you losing your 3 shares.

Multisign also supports this configuration, as it supports upto 8 separate keys,

" A SignerList must have at least 1 member and no more than 8 members"

https://ripple.com/build/transactions/#signerlistset

 

[gray]

5 hours ago, segra said:

Multisign also supports this configuration, as it supports upto 8 separate keys,

" A SignerList must have at least 1 member and no more than 8 members"

https://ripple.com/build/transactions/#signerlistset

 

Yep, I did that as a scenario that would work in both. I suppose my point was that they basically have the same amount of configurability. I guess in theory SSSS could be even more configurable since you can do as many shares as you want past 8, but going past 8 is usually going to be overkill. 

[franji]

Just a layman's question - assuming the wallet's private key (e.g. 512 bits) are quite random (i.e. independent) - 

and if you wanted to split to two or 3 secretes where you need ALL of them to reconstruct (not k/n) -

wouldn't be safe enough just to split the bits of the key? - e.g. 256*2 to split two ways?