Skip to main content

Shared Key

warning

Do not deploy to the app store

Shared key is not suitable for apps deployed to the public app store, because the key could be reverse-engineered. Shared key is more appropriate for an enterprise application run on centrally managed devices that do not connect to the Internet.

If you need to synchronize data over the Internet with the Big Peer and/or deploy to the app store, use Online With Authentication instead.

Ditto offers an intermediate level of security for applications where all users and devices are trusted. For example, this could be appropriate for an enterprise application run on centrally managed devices. In this mode, every device knows the same secret key, and uses this to validate incoming connections. The benefit of this approach is that distinct certificates do not have to be distributed to every device, simplifying the deployment. However, the downside is that devices will always have access to data. A compromised device can read and re-distribute the key, and there is no method to unauthorize that key in the future.

Small Peers in this mode use a SharedKey identity type. The secret key must be provided as a String when initializing the DittoIdentity on each peer. This key should be securely and randomly generated and Ditto expects it to be in a particular format.

The recommended way to generate a shared key is to download Ditto's open source cross-platform utility ditto-authtool, which provides an easy command to generate new shared keys from a terminal or command prompt:

./ditto-authtool generate-shared-key

or

.\ditto-authtool.exe generate-shared-key

Alternatively, if you have a Linux machine running an up-to-date version of OpenSSL then you can use the following command. At time of writing this will not work on Macs.

openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -outform pem | openssl pkcs8 -topk8 -nocrypt -outform der | base64 -w 0
info

The SharedKey identity requires an offline-only license token, which can be requested by contacting support@ditto.live.

// This is just an example. You should use OpenSSL to generate a unique shared key for every application.let p256DerB64 = "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFUUrOkOH52QN+Rr6uDSDsk4hUTcD1eW4mT0UnGGptFehRANCAATJ3fG8TVLQcDwUV18BJJI8efK0hQAjzB3VJeYOVbfOlqnfukVId0V25r/abxwjD3HfHuPsCGEiefzzmkMbjPo9"
let identity = DittoIdentity.sharedKey(appID: "app", sharedKey: p256DerB64)let ditto = Ditto(identity: identity, persistenceDirectory: dittoPersistenceDir)do {    try ditto.setOfflineOnlyLicenseToken(validLicense);} catch (let err) {  print(err.localizedDescription)}

How does Shared Key work?

Communication is encrypted using TLS 1.3 and peer identities are verified using certificates. This is the same state-of-the-art technology used in web browsers. It applies to every communication mode from Bluetooth to WiFi.

Each device issues a self-signed TLS certificate using the supplied private key. Peers then only trust peers whose certificates are signed by the same key. In other words, Shared Key uses regular TLS security, except everybody is the CA.

New and Improved Docs

Ditto has a new documentation site at https://docs.ditto.live. This legacy site is preserved for historical reference, but its content is not guaranteed to be up to date or accurate.