        -------------------------------------------------------------
        Transparent Cryptographic File System (TCFS) for NetBSD
        Author:		Giuseppe Persiano [giuper@dia.unisa.it]
			Giuseppe Cattaneo [cattaneo@dia.unisa.it]
			Luigi Catuogno	  [luicat@tcfs.dia.unisa.it]
			Aniello Del Sorbo [anidel@tcfs.dia.unisa.it]
				

        references:     http://tcfs.dia.unisa.it
                        tcfs-bsd@tcfs.unisa.it
        -------------------------------------------------------------


        GROUP SHARING OF FILES WITH TCFS
	--------------------------------

	TCFS includes the possibility of threshold sharing files
	among users. Threshold sharing consists in specifying a minimum 
	number of members (the threshold) that need to be ``active'' 
	for the files owned by the group to become available. TCFS 
	enforces the threshold sharing by generating an encryption key for 
	each group and giving each member of the group a share using a 
	Threshold Secret Sharing Scheme (see [1]). The group encryption 
	key can be reconstructed by any set of at least threshold keys.

	A member of the group that intends to become active does so by 
	pushing his/his share of the group key into the kernel. TCFS checks if 
	the number of shares available is above the threshold and, if it 
	is so, it attempts to reconstruct the group encryption key. 
	By the properties of the Threshold Secret Sharing Scheme, it is 
	guaranteed that, if enough shares are available, the group 
	encryption key is correctly reconstructed.

	Once the group encryption key has been reconstructed, the files 
	owned by the group become accessible. 
	Each time a member decides to become inactive, his share of the 
	group encryption key is removed. TCFS checks if the
	number of shares available has gone under the threshold. 
	In this case, the group encryption key is removed from TCFS 
	and files owned by the group become unaccessible.

	The current TCFS implementation of the group sharing facility 
	requires each memeber to trust the kernel of the machine that 
	reconstructs the key to actually remove the key once the number 
	of active users goes below the threshold. 
	Future implementations will remove this requirement by performing
	the reconstruction of the key in a distributed manner.

	Setting up a TCFS group requires the following steps to be executed:

	1. The superuser creates a normal unix group; editing /etc/group 
	   should be sufficient.

	2. The superuser creates a TCFS group executing the command:

           tcfsaddgroup -g group -m <number of members> -t <threshold>

     	   This utility asks for the usernames of the members of the TCFS group.
           For each member a share is created and encrypted with the 
	   user passwd and then is saved in the TCFS group key database.

	3. Create a directory on a TCFS filesystem owned by the group. Usual
     	   permission restrictions apply to the files in the directory. 
	   For example, the directory should be writeable if users are to 
	   create files.

	4. To become active, a member of a TCFS group pushes his share into i
	   the kernel. This can be accomplished by executing the command:

                              tcfsputkey -g <group>

     	   This utility asks for the user login passwd, decrypts the user's 
	   share from the TCFS group key database, and passes the share 
	   to the TCFS.
     	   Shares of a group are treated by the utilities tcfsputkey, tcfsrmkey,
     	   similarly to user's keys.

  	5. If a user wants to become inactive, she removes his share of the key
     	   from TCFS. This can be accomplished by executing the
     	   command:
                              tcfsrmkey -g <group>



  [1] A. Shamir, How to Share a Secret, Comm. ACM, v. 24, n. 11, Nov. 1979.
