Shared Key Authentication

Ditto offers an intermediate level of security for applications where all users and devices are trusted. For example, this could be appropriate for an enterprise application run on centrally managed devices. In this mode, every device knows the same secret key, and uses this to validate incoming connections. The benefit of this approach is that distinct certificates do not have to be distributed to every device, simplifying the deployment. However, the downside is that devices will always have access to data. A compromised device can read and re-distribute the key, and there is no method to unauthorize that key in the future.

Small Peers in this mode use a SharedKey identity type. The secret key must be provided as a string when initializing the DittoIdentity on each peer. This key should be securely and randomly generated and Ditto expects it to be in a particular format.

The recommended way to generate a shared key is to download Ditto's open-source, cross-platform utility ditto-authtool, which provides an easy command to generate new shared keys from a terminal or command prompt:

Alternatively, if you have a Linux machine running an up-to-date version of OpenSSL then you can use the following command. At time of writing this will not work on Macs.

The SharedKey identity requires an offline-only license token, which can be requested by contacting [email protected].

Communication is encrypted using TLS 1.3 and peer identities are verified using certificates. This is the same state-of-the-art technology used in web browsers. It applies to every communication mode from Bluetooth to WiFi.

Each device issues a self-signed TLS certificate using the supplied private key. Peers then only trust peers whose certificates are signed by the same key. In other words, Shared Key uses regular TLS security, except everybody is the CA.