Sharemind Application Server

Installation

Sharemind MPC components are available from Cybernetica’s APT repository for Debian 10 (buster), Debian 11 (bullseye), Debian 12 (bookworm), Ubuntu 20.04 (focal) and Ubuntu 22.04 (jammy). To access it, add the repository location to your APT configuration and trust the Sharemind package signing GPG key 0x2DD091F5BD648385. In the following, replace “bookworm” with the version name of your distribution.

wget -qO - https://repo.cyber.ee/sharemind/apt/pubkey.gpg | sudo apt-key add -
echo "deb https://repo.cyber.ee/sharemind/apt/2023.09 bookworm non-free" | sudo tee /etc/apt/sources.list.d/sharemind.list

The APT repository requires authentication. Replace “USER” and “PASSWORD” with personalised values provided by Cybernetica in the /etc/apt/auth.conf.d/sharemind.conf configuration file (you have to create the file):

machine repo.cyber.ee
    login USER
    password PASSWORD

Next, update the APT cache:

sudo apt-get install apt-transport-https # may be already installed, has to be done only once
sudo apt-get update

Sharemind MPC uses a modular design and an installation can consist of different subsets of available packages:

  • sharemind-server – the Sharemind Application Server core that by itself does not provide any secure computation options.

  • libsharemind-mod-algorithms – general algorithms module that works on public data.

  • One of the following packages for the shared3p protection domain:

    • libsharemind-mod-shared3p – the Encrypted Computing Engine, provides optimised implementation of the shared3p protection domain with three computation parties and passive security.

    • libsharemind-mod-shared3pdev – an alternative version of the Encrypted Computing Engine that provides the same functionality (syscalls) as libsharemind-mod-shared3p, but is based on manual implementation of MPC protocols and research prototypes. This module used to define the Sharemind Academic Server, but is deprecated starting from the 2022.03 release.

    • libsharemind-mod-shared3p-emu – the Encrypted Computing Emulator that emulates the MPC protocols and is used for testing and development. Requires a single Application Server instead of three.

  • libsharemind-mod-tabledb-hdf5 – storage backend that uses column-optimised table-based HDF5 engine (embedded storage).

  • libsharemind-mod-keydb – NoSQL storage backend that stores data in a Redis server. Installing redis-server package is also required.

  • scc – The SecreC compiler.

  • secrec-stdlib – SecreC standard library.

Install the suitable subset with apt-get install, e.g., commonly:

sudo apt-get install sharemind-server libsharemind-mod-algorithms \
libsharemind-mod-shared3p libsharemind-mod-tabledb-hdf5 \
scc secrec-stdlib

Key generation and exchange

Sharemind MPC uses Transport Layer Security (TLS) technology for secure, mutually authenticated and encrypted communication channels between computation nodes as well as between computation nodes and client applications. Therefore, each Sharemind component requires a personal asymmetric key pair for authentication and encryption.

For instructions on how to generate a new key pair and distribute it to other parties in the deployment, see Client applications → Generating Key Pairs.

Configuration

Sharemind Application Server searches for its main configuration file from the following locations (in order):

  • Filename given by the --conf command line argument

  • System-wide configuration file in /etc/xdg/sharemind/server.conf (XDG Basedir search path)

  • System-wide configuration file in /etc/sharemind/server.conf

The configuration file is an INI-formatted file, where section names are between square brackets ([Section]) and configuration values are given with key=value pairs. In addition to the common INI syntax there is an @include directive which can be used to load configuration files from another file or a directory, it takes a glob expression as an argument and includes matched files in it’s place. A commented example client application configuration file is available in /usr/share/doc/sharemind/examples/server.conf.

At minimum, review (and change) the following values in the example configuration:

  • Section [Server]:

    • The LicenseFile should point to the cryptographically signed license file (*.p7b) that you have received from Cybernetica.

    • The value of UuidNamespace must be the same for all components in the deployment (servers and client applications alike). Ask this value from your Deployment Manager.

    • Name is a unique name of this computation node in this Sharemind MPC deployment. All other parties (including client applications) in the deployment must also provide this name in their configuration to contact your server, so share this name with other parties via Deployment Manager.

  • The [AccessControl] section refers to the access rules configuration file. Sharemind Application Server uses a three-level access control system specifying which users are allowed to connect to the server, which programs are they allowed to run and what data items are these users and programs allowed to read or write. A commented example of such ruleset file is available at /usr/share/doc/sharemind/examples/server-access-control.conf.

  • Section [Network]:

    • ListenInterfaces lists the network interfaces and ports that the Application Server listens on. There is a single port for listening for both client connections as well as for other Application Servers in the deployment. By default, Sharemind Application Server listens on all network interfaces on port 30000.

    • The values of PublicKeyFile and PrivateKeyFile should be the filenames of your public and private keys, respectively. If you followed the example here, these are my-public-key and my-private-key. File location can be given relative to the current configuration file with %{CurrentFileDirectory}, e.g. %{CurrentFileDirectory}/keys/my-public-key.

  • The [Module *] sections are used to load modules and reference their configuration files. Refer to module-specific configuration options below.

  • The [ProtectionDomain] are used to enable various protection domains and need the corresponding module to be loaded. For example, the pd_shared3p protection domain need the mod_shared3p (or the mod_shared3p_dev, or the mod_shared3p_emu) module.

  • The [Server *] sections contain information about the other Sharemind MPC computation nodes. Each section name must be in the format [Server Name], where Name is the unique name for the given computation node used throughout the deployment. Ask your Deployment Manager for the names of computation nodes and the information to fill out the following values:

    • Address – computation node’s IP address or hostname

    • Port – computation node’s port number

    • PublicIdentity – filename, containing the public key for this computation node. File location can be given relative to the current configuration file with %{CurrentFileDirectory}.

In general, it is not necessary to change any other default values in the configuration file. For a successful deployment it is necessary that the network and security related configuration options are compatible between all components in the Sharemind MPC deployment.

The pd_shared3p protection domain

The pd_shared3p protection domain provided by either the mod_shared3p, the mod_shared3p_dev or the mod_shared3p_emu module uses a separate configuration file. The first two differ only in shared library (*.so) file name and use an identical configuration file, shown here next. For the mod_shared3p_emu, continue with the next sub-section.

  • The [ProtectionDomain] section includes configuration options that relate to networking and performance. The *FragmentSize options allow you to specify the optimal batch sizes for your network configuration.

  • The [Node*] sections map Sharemind Application Servers to computation nodes.

    • The IsComputingNode allows you to put one or more Application Servers in proxy mode for shared3p computations if you have more than three servers in the deployment.

Note that the pd_shared3p configuration has to be identical for all Application Servers.

For reference, here is an example of the pd_shared3p configuration file:

[ProtectionDomain]
MulVecFragmentSize = 100000
EqVecFragmentSize = 100000

[Node1]
ServerName=TestServer1

; Indicates the mode of a protection domain node.
; Options are:
; true - (default) the node performs computations in the protection domain.
; false - the node acts as a proxy that only performs declassification operations, skipping other operations in that protection domain.
IsComputingNode = true

[Node2]
ServerName=TestServer2

[Node3]
ServerName=TestServer3

The emulated pd_shared3p protection domain

The emulated version of the shared3p protection domain implementation does not need server-specific configuration as it uses a single server node. Instead, it uses the configuration file to load protocol performance models in order to give real-life runtime estimated for the emulated SecerC programs. You can obtain an example configuration together with these models from Sharemind SDK Github respository here. Download both files and reference shared3p_emu.cfg from the Application Server configuration. Change shared3p_emu.cfg to either use full file path to shared3p_emu-models.cfg or use the %{CurrentFileDirectory} construction.

Encrypted storage (Embedded HDF5)

The table storage back end for Sharemind MPC consists of two layers. First, there is the abstract tabledb level that provides the SecreC language interface (the tdb* functions). This is provided by the mod_tabledb module. The second layer provides implementation using a specific storage back end, e.g. mod_tabledb-hdf5 uses HDF5 embedded database for storage.

Consequently, the tabledb configuration is also in two levels. The mod_tabledb configuration, referenced from the Sharemind Application Server main configuration file, loads the storage back end submodule and provides its configuration (with reference to another configuration file). Look at the example below:

[DBModule1]
File = libsharemind_mod_tabledb_hdf5.so

[DataSource1]
Name = DS1
DBModule = tabledb_hdf5
Configuration = %{CurrentFileDirectory}/tabledb_hdf5-DS1.cfg

The tabledb module separates data tables into data stores (analogue of a database). The example above creates a single data store “DS1” and refers to data store specific configuration file that in turn sets the filesystem path for the data:

DatabasePath = /var/lib/sharemind/DS1

Access control

In Sharemind MPC, each Application Server is independent in validating the user query against its access control list (ACL). This access control is implemented in three levels:

  1. Is the current user allowed to connect to this Sharemind Application Server at all?

  2. Which deployed SecreC programs is the (now already authenticated) user allowed to run?

  3. Which data stores and data tables is the authenticated user allowed to read or write and with which SecreC programs?

data usage policy
Figure 1. In Sharemind MPC, each Application Server is independent in validating the user query against its access control list (ACL) and the data usage policy.

These access rules can be configured by the access policy files that by default loaded from /etc/sharemind/policies.d/*.conf. Below is an excerpt from a commented example policy file that is also available in /usr/share/doc/sharemind/examples/server-access-control.conf after installing the sharemind-server package. This example file grants all tabledb storage module access to the specified user (DebugUser) and is therefore a good starting point for test deployment.

;
; Access policy files consist of user definitions and access rules.
;

;
; Each user is specified in a separate User section, with the user name or
; alias specified in the section name, i.e. "[User username]", where "username"
; is the user name.
;
; The TlsPublicKey field specifies the filesystem path for the public key used
; to authenticate the user.
;

[User DebugUser]
TlsPublicKeyFile = %{CurrentFileDirectory}/client-public-key


;
; Access rules are grouped under access policy rulesets which act as namespaces.
; The name of the ruleset is specified in the Ruleset section name.
;
; Each rule is a pair in the form of "object=spec", where object is the entity
; which represents the resource to which access is controlled, and "spec" is an
; access specification representing a set of subjects (i.e. users) separated by
; whitespace and commas to whom the access specification either explicitly
; grants or denies access:
;
;   * Subjects in the access specification prefixed with an exclamation mark
;     ('!') are explicitly DENIED access.
;   * Subjects in the access specification not prefixed with an exclamation mark
;     ('!') are explicitly ALLOWED access.
;   * For subjects not listed in the access specification, access in this
;     distinct rule is left UNSPECIFIED (see below for handling of UNSPECIFIED).
;
; Subjects in the access specification are separated by whitespace and commas,
; the latter of which are actually also considered to be whitespace, e.g
; ",,user1,,,!user2," is a valid access specification, with access ALLOWED for
; user1 and DENIED for user2. Note however, that subjects may not contain
; exclamation marks, and no whitespace is allowed between an exclamation mark
; and the subject.
;
; Components enforcing the access control for an object may check multiple rules
; if needed. If any of the rules checked explicitly DENY access for the subject,
; access is denied. Otherwise, if any of the rules checked explicitly ALLOW
; access for the subject, access is allowed. Otherwise, i.e. if access is not
; explicitly specified (i.e. the subject is UNSPECIFIED in all rules), access is
; denied.
;
; For one such example, in the sharemind:server ruleset, when a subject attempts
; to execute a program "test.sb", two rules are checked: "execute:*" and
; "execute:test.sb", and access is allowed only if the subject is allowed in
; at least one, and not denied in either of those rules.
;

[Ruleset sharemind:server]

; The syntax is
;     execute:<program>
; where <program> is a SecreC bytecode filename or a wildcard (*) for matching
; any program.

; Example: allow running all SecreC programs except `denied.sb` for DebugUser:
execute:* = DebugUser
execute:denied.sb = !DebugUser

[Ruleset sharemind:tabledb]

; The mod_tabledb system calls check authorization on one or two levels. The
; first of these levels is the datastore level is used by all system
; calls. Its object format is
;     <datastore>:<program>
; where <datastore> is the identifier of the data store being accessed or a
; wildcard (*) for matching any datastore, and <program> is the SecreC bytecode
; filename or a wildcard (*) for matching any program.

; Example: allow all datastore level operations on all datastores for DebugUser:
*:* = DebugUser

; The mod_tabledb system calls which require authorization checks of two levels,
; the second level is the table and operation level with the object format
;     <datastore>:<table>:<operation>:<program>
; where <datastore> and <program> used just as on the first level, <table> is
; the name of the table accessed by the system call or a wildcard (*) for
; matching any table, and <operation> is either read or write for read and
; write access respectively, or a wildcard (*) matching both read and write
; access.

; Example: allow everything for DebugUser:
*:*:*:* = DebugUser

; Example: read-write permission for `table` in `DS1`:
;DS1:table:*:program1.sb = DebugUser

; Example: revoke write access to `table` in `DS1` in all SecreC programs:
;DS1:table:write:* = !DebugUser


[Ruleset sharemind:keydb]

; The syntax for mod_keydb object names is
;     <pattern>:scan:<program>
;     <key_name>:read:<program>
;     <key_name>:write:<program>
; where each <pattern>, <key_name> and <program> can also be a wildcard ('*').

; Access to individual keys must be given explicitly:
;org_management_salary_john:read:financials.sb = DebugUser

; Scan access can use patterns, but it has to be exactly the same as passed to
; the syscall:
;org_sales_*:scan:financials.sb = DebugUser

; Example: allow all operations on all keys:
;*:scan:* = DebugUser
;*:read:* = DebugUser
;*:write:* = DebugUser

Usage

To start Sharemind Application Server on the background, use the systemd unit file:

sudo systemctl start sharemind-server

If needed, you can also start Sharemind Application Server binary directly with sharemind-server. By default, logs will be stored written into /var/log/sharemind/appserv.log.