Open shushcli opened 3 years ago
You're using SSS to split an AES key, and then encrypting a message (with AES-GCM) with the key you hope your recipients recover. This has a weakness that won't let me pilfer your Bitcoin private key from your zip file, but it will allow a different attack that might be relevant to your users' threat models.
A little bit of background: AES-GCM is not key- or message-committing.
What an attacker can do with this knowledge is substitute shares that will recover a different AES key, which will decrypt to a different plaintext. This is true because:
There's a few ways you can prevent this:
You can find related research here.
@soatok thank you for this thoughtful comment!
I considered CBC + hmac when building this originally (and trying to parse discussion threads about AES modes), but didn't have a clear understanding of the trade-offs. If I decide to version this tool, I'll re-issue the bounty.
I've used
shush
to... 1)generate
a key 2)encrypt
a tarball containing a bitcoin private key among other things 3)split
a 3 of 5 shamir of the keybounty_files.zip contains 2 of the shards and the encrypted payload containing a private key for this address.
If you successfully break the AES or the shamir shares, then you can transfer ~$200 of BTC to your own wallet.
If you submit an issue explaining how you did it, or better yet how to fix it, I'll double the reward.