Client Applications

This section contains set up and configuration that is common for all Sharemind MPC client applications (e.g. Rmind, CSV Importer).

Setting Up Packages Repository

Currently, Sharemind MPC packages are only available for Debian Stretch. However, these packages may also be deployed on other APT-based distributions (e.g. Ubuntu) by manually installing some of the requirements.

Sharemind MPC components are available from Cybernetica’s APT repository. To access it, add the repository location to your APT configuration and trust the Sharemind package signing GPG key 0x2DD091F5BD648385. In the following command, replace username and password with personalised values provided by Cybernetica.

wget -qO - https://repo.cyber.ee/sharemind/apt/pubkey.gpg | sudo apt-key add -
echo "deb https://username:password@repo.cyber.ee/sharemind/apt/2019.03 stretch non-free" | sudo tee /etc/apt/sources.list.d/sharemind.list

Next, update the APT cache:

apt-get install apt-transport-https # may be already installed, has to be done only once
apt-get update

If you want to run custom SecreC programs, you’ll need to install the sharemind-runscript package, along with the client-side library for the protection domain you are using (e.g., in most cases libsharemind-mod-shared3p-ctrl).

If you want to develop your own custom Sharemind MPC C++ application, install the libsharemind-controller-dev package. If you are interested in using ready-made applications, look into Rmind and CSV Importer.

Generating Key Pairs

Sharemind MPC uses Transport Layer Security (TLS) technology for secure, mutually authenticated and encrypted communication channels between computation nodes as well as between computation nodes and client applications. Therefore, each Sharemind component requires a personal asymmetric key pair for authentication and encryption.

As Sharemind MPC uses RSA keys in standard X.509 certificate format, already familiar tools like GnuTLS certtool utility or OpenSSL can be used. Both options described below generate a new RSA key pair, where the private key is in file my-private-key and public part in my-public-key.

Option A: Key Generation with GnuTLS

$ certtool --generate-privkey --rsa --outfile my-private-key --outder
$ certtool --generate-self-signed --load-privkey my-private-key \
  --inder --outfile my-public-key --outder
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name.
Just press enter to ignore a field.
Common name: (Required)
UID:
Organizational unit name:
Organization name: (Required)
Locality name: (Required)
State or province name:
Country name (2 chars): (Required)
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1409962768):


Activation/Expiration time.
The certificate will expire in (days): (At least the duration of the deployment)</b>


Extensions. (The rest can be left with default values)
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (Y/n):
Will the certificate be used for encryption (not required for TLS)? (Y/n):
Enter the URI of the CRL distribution point:

Is the above information ok? (y/N) (Press ``y'' here)

Option B: Key Generation with OpenSSL

If your Linux (virtual) machine already has OpenSSL, it is also possible to generate the key pair with that. The -days value should be at least the expected duration of the deployment.

$ openssl req -x509 -days 300 -nodes -newkey rsa:2048 \
-keyout my-private-key -out my-public-key -outform der
Generating a 2048 bit RSA private key
.....................................................................+++
...+++
writing new private key to 'my-private-key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <b>(Required)</b>
State or Province Name (full name) [Some-State]: <b>(Required)</b>
Locality Name (eg, city) []: <b>(Required)</b>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <b>(Required)</b>
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: <b>(Required)</b>
Email Address []:

This openssl tool generates the private key by default in PEM format. However, for Sharemind MPC, it must be converted to DER format:

$ openssl rsa -in my-private-key -out my-private-key -outform der

Key Exchange

The generated public key is a self-signed X.509 certificate encoded in DER format. This public key should be sent to each Sharemind MPC computation node, so they can grant access to the public key owner. The public key should be sent in a way that allows sender authentication, e.g. by digitally signing it.

Similarly, all Sharemind MPC computation nodes have their own key pairs and share their public key with every other participant in the deployment. All such received public keys must be referenced from the client application configuration file.

Configuration

Sharemind MPC client applications search for their main configuration file from the following locations (in order):

  • Filename given by the --conf command line argument

  • User-specific configuration file in ~/.config/sharemind/client.conf

  • System-wide configuration file in /etc/xdg/sharemind/client.conf (XDG Basedir search path)

  • System-wide configuration file in /etc/sharemind/client.conf

The configuration file is an INI-formatted file, where section names are between square brackets ([Section]) and configuration values are given with key=value pairs. A commented example client application configuration file is available in /usr/share/doc/sharemind/examples/client.conf.example.

At minimum, review (and change) the following values in the example configuration:

  • Section [Controller]:

    • The value of UuidNamespace must be the same for all components in the deployment. Ask this value from your Deployment Manager.

  • Section [Network]:

    • The values of PublicKeyFile and PrivateKeyFile should be the filenames of your client application’s public and private keys, respectively. If you followed the example here, these are my-public-key and my-private-key. File location can be given relative to the current configuration file with %{CurrentFileDirectory}, e.g. %{CurrentFileDirectory}/keys/my-public-key.

  • Sections [Server *] contain information about the Sharemind MPC computation nodes. Each section name must be in the format [Server Name], where Name is the unique name for the given computation node used throughout the deployment. Ask your Deployment Manager for the names of computation nodes and the information to fill out the following values:

    • Address – computation node’s IP address or hostname

    • Port – computation node’s port number

    • PublicIdentity – filename, containing the public key for this computation node. File location can be given relative to the current configuration file with %{CurrentFileDirectory}.

In general, it is not necessary to change any other default values in the configuration file. For a successful deployment it is necessary that the network and security related configuration options are compatible between all components in the Sharemind MPC deployment.