Question:
I'm looking for a completely Open Source alternative to Bittorrent Sync, and it looks like we have almost all the elements there: Sparkleshare would do what it wanted to do, just missing the direct connection to the computer no matter where using a secret. How does this Bittorrent Sync secret work, or how would you implement such a system?
[Edit: I know how to use git, with or without sparkleshare. The situation is that git needs to know which computer/server to connect to, so it needs a server. Bittorrent Sync doesn't use a server, just a computer running the program is online. Bittorrent Sync knowing the secret looks for all others with the same secret and syncs them. I'm looking for how to make this hotspot identification on the network so I can use Sparkleshare without having fixed server.]
(I would apply this either as a new protocol in Git, or as a redirection to SSH, the latter with the advantage that it can enter a server etc without having to be reachable directly, using the secret).
(Crosspost for the English OS: https://stackoverflow.com/questions/20594302/how-does-the-bittorrent-sync-secret-work )
Answer:
This is a translation of Jakob's answer on SO in English , from the post cited in the question:
As stated by BitTorrent (see also the users guide ), the secret is a randomly generated key of 20 bytes or more. Simply the laws of probability make it virtually impossible to guess. There are four types of secrets:
- (master) secrets for read and write access
- read-only secrets
- secrets to be used only once (can be either full-access or read-only)
- secrets supporting peer-to-peer encryption (encryption) for encrypted read-only access
As far as I understand (and it's recorded in this thread where someone tried to reverse engineer the BitTorrent Sync protocol in July 2013) the last three types of secrets can be derived from the master secret. In particular this includes the key for encrypting files for transmission between peers. That's why peer discovery uses hashes, so the hash can be used to find peers with the same secret without having to make the secret public.
Before reverse engineering BitTorrent Sync, remember that the software is closed source and includes routines to automatically update from bittorrent.com. This implies that the company can change the implementation details (and install arbitrary backdoors as well). No one can guarantee that there isn't a hidden method that sends its master secrets to the NSA unless the source code is analyzed.