add high level threat model initial draft

2024-12-04 16:01:31 -05:00 · 2024-12-04 16:01:31 -05:00 · 1e9d21dcdd
parent e43c65c3e8
commit 1e9d21dcdd
1 changed files with 328 additions and 0 deletions
--- a/quorum-key-management/src/threat-model.md
+++ b/quorum-key-management/src/threat-model.md
@ -64,6 +64,334 @@ Some additional assumptions are made to help contextualize the threat model:

 * Side-channel attacks are viable and likely

+## Threat Model Levels
+
+Different threat model levels allow an organization to start benefiting from the security properties of the QKM system immediately, with a clear path to upgrading over time as resources and time become available.
+
+Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein. 
+
+### Level 1
+
+#### Threat Model
+
+* Adversary is a low skilled individual targeting many custodians. This implies the adversary is not highly focused on compromising a specific custodian, but often relying on more scattered/shotgun strategies.
+
+* Adversary is capable of:
+
+    * Using phishing to steal data from a random set of custodian end users
+
+    * Injecting malware into the system of a random set of custodian end users
+
+#### Requirements
+
+* MUST require hardware anchored login for large withdrawals 
+
+* MUST require hardware anchored signature for large withdrawal requests
+
+* MUST verify withdrawal requests 
+
+Refer to [threshold based policies](TODO) for defining "large withdrawals" and related policies.
+
+#### Reference Design
+
+* Ensure all users withdrawing large sums over a short period of time are using FIDO2 or PGP capable smart cards for logging in and authorizing transactions:
+
+    * Hardware based WebAuthN/Passkey/U2F
+
+        * Android 7.0+, iOS 14+, MacOS 10.15+, Win10 1809+, ChromeOS, Yubikey 5, Nitrokey, Ledger, Trezor
+
+    * Consider software-based WebAuthN/Passkey/U2F as backup 
+
+* Ensure backend systems will only approve large withdrawals if signed by known smart card.
+
+* Ensure all transaction approval keys are stored in a tamper evident append only database.
+
+    * To achieve this storage systems such as AmazonQLDB, git, Datomic etc. can be used
+
+* Ensure all key additions are authenticated with a quorum of existing keys
+
+* Consider allowing quorum of support engineer keys to enroll a new key to handle lost keys
+
+* Use hash of transaction signing request as challenge to be signed by smart-card
+
+* Blockchain signature only issued after verification a given request is signed by authorized user smart-card(s)
+
+## Level 2
+
+### Threat Model
+
+* Adversary is a skilled and resourceful individual targeting one custodian
+
+* Adversary can:
+
+  * Compromise one team member with privileged access
+  
+  * Inject code into any OSS library
+
+  * Exploit any vulnerability within 24h of public knowledge
+
+### Requirements
+
+* All production access:
+
+  * MUST NOT be possible by any single engineer
+
+    * Consider a bastion that can enforce m-of-n access over SSH or similar
+
+  * MUST be via dedicated tamper evident workstation 
+    
+    * Consider: https://github.com/hashbang/book/blob/master/content/docs/security/Production_Engineering.md
+
+  * MUST be anchored to keys in dedicated HSMs held by each administrator
+
+    * Consider GnuPG or PKSC#11 smart cards that support touch-approval for ssh
+
+* Any code in the transaction signing trust supply chain:
+  
+  * MUST build deterministically
+  
+  * MUST have extensive and frequent review
+    
+    * Example: The Linux kernel has well funded distributed review
+  
+  * MUST be signed in version control systems by well known author keys
+
+    * Example: OpenPGP signed git commits
+  
+  * MUST be signed by separate subject matter expert after security review
+    
+    * If third party code: it MUST be hash-pinned at known reviewed versions
+  
+  * MUST be at version with all known related security patches
+  
+  * SHOULD be latest versions if security disclosures lag behind releases otherwise N-2
+    
+    * Example: The Linux kernel
+  
+  * MUST be built and signed by multiple parties with no management overlay
+
+    * Example: One build by IT, another by Infrastructure team managed CI/CD
+  
+  * MUST be signed by well known keys signed by a common CA
+    
+    * Example: PGP Smartcards signed under OpenPGP-CA.
+  
+  * All private keys involved:
+    
+    * MUST NOT ever come in contact with network accessible memory
+  
+  * All execution environments MUST be able to attest what binary they run
+    
+    * Examples:
+      
+      * Custom Secure Boot verifies minimum signatures against CA
+      
+      * Cloud enclave that can remotely attest it uses a multi-signed image
+        
+        * AWS Nitro Enclave, Google Shielded VMs, etc.
+      
+      * App phone stores already anchor to developer held signing keys
+
+### Reference Design
+
+* Extend reference design from Level 1
+  
+* Create offline CA key(s)
+    
+* Consider OpenGPG key generated on airgap using keyfork, backed up, and copies transmitted to a smartcards such as a Yubikey
+  
+* CA key smart cards are stored in dual-access tamper evident locations
+  
+#### User Key Management System 
+
+* Enclave is created which is immutable with no ingress internet access
+
+* Enclave has random ephemeral key
+
+* Remotely attested on boot-up against multi-signed and known deterministically built system image
+  
+  * Possible on many PCR based measured boot solutions like Heads, AWS Nitro Enclaves, or GCP Shielded VMs
+
+* Ephemeral enclave key is signed with offline CA key(s) on verification.
+
+* Enclave has ability to validate append only database of keys
+
+* Enclave will sign new key additions/removals with ephemeral key if:
+  
+  * User has no prior keys
+  
+  * Key was signed with an existing key
+  
+  * Key was signed with 2+ known support engineer keys
+  
+#### Signing Key Generation
+    
+* M-of-N key holder quorum is selected
+  
+  * SHOULD ideally be on different teams
+  
+  * SHOULD ideally live in different geographical zones to mitigate natural disaster, and war risk
+  
+  * SHOULD have their own OpenPGP smart card with pin and keys only they control
+
+* Shard keys generated
+  
+  * SHOULD be an additional OpenPGP smart card separate from holders personal key
+
+  * SHOULD have random pin, encrypted to a backup shard holder 
+  
+  * SHOULD be stored in a neutral location only the primary and backup shard holder can access
+
+* Done in person on air-gapped laptop that has been in dual witnessed custody since procurement
+  
+  * TODO link to tamper chain of custody doc
+
+  * Has hardware anchor that can make all parties confident the OS image it is running is expected (Heads, etc)
+  
+  * Has two hardware sources of entropy
+    
+    * There are devices that can provide an additional source of entropy such as: 
+
+      * Quantis QRNG USB
+
+      * TrueRNG
+
+  * Runs known deterministic and immutable OS image compiled by multiple parties
+
+* Key is generated and stored
+  
+  * Split to m-of-n Shamir's Secret Sharing shards
+    
+    * Each shard is encrypted to dedicated shard OpenPGP smart card
+    
+    * Shard smart card pin is generated randomly
+
+    * Shard smart card pin is encrypted to personal smart cards of primary and backup holders
+
+#### Signing System
+  
+* Uses an enclave which is immutable with no ingress internet access
+
+* Has random ephemeral key
+
+* Remotely attested on boot-up against multi-signed and known deterministically built system image
+
+* Will accept Shamir's Secret Sharing shards encrypted to random ephemeral key
+
+* Will restore signing key to memory when sufficient shards are submitted
+
+* Will only sign transactions if accompanied by signed request by authorized user
+  
+  * Is able to validate signing request via CA key authorized user key management enclave signature
+
+* Will only sign transactions that meet predefined size and rate limits by company policy and insurance levels. 
+
+## Level 3
+
+### Threat Model
+
+* Adversary is an organized group with significant funding
+
+* Adversary can:
+  
+  * Compromise one data center engineer into tampering with a target system
+
+  * Use a sophisticated 0 day vulnerability to compromise any one internet connected system
+
+### Requirements
+
+* MUST sign all transactions of significant value by multiple keys in separate geographical locations
+
+ * Consider well vetted open source multi signature, MPC or on-chain threshold signing software
+ 
+ * Locations MUST be separated by hours of travel
+
+ * Locations MUST not have any staff overlap
+ 
+ * Signing locations SHOULD distrust other locations
+
+   * Each location SHOULD do their own reproducible build validation
+   
+   * Each location SHOULD do their own verifications on all large transactions
+
+## Level 4
+
+### Threat Model
+
+* Adversary is a state actor
+
+* Adversary can:
+  
+  * Tamper with the supply chain of any single hardware/firmware component
+  
+  * Quickly and covertly relocate any device to a lab environment, complete attacks within a short time period, and return the device to its original location
+  
+  * Use sophisticated side channel attacks for exfiltrating data, cryptographic material being a high risk target
+    
+    * Acoustic (DiskFiltration, Fansmitter, Acoustic Cryptanalysis, sonic cavity resonators, etc.)
+
+    * Optical (VisiSploit, xLED, eavesdropping via vibration analysis etc.)
+    
+    * Thermal (BitWhisper)
+    
+    * Electrical (Simple Power Analysis (SPA), Differential Power Analysis)
+    
+    * Magnetic (ODINI)
+    
+    * Electromagnetic (USBee)
+    
+    * Radio (NFCDrip, Vapor Trail, RFID, FM, Wifi, Bluetooth, GSM, SATA cable eavesdropping etc)
+    
+    * Steganography
+
+  * Use other sophisticated attack types such as:
+
+    * Non-deterministic encryption/signatures/data
+    
+    * Differential Fault Analysis (DFA)
+    
+    * Data remanence
+
+    * Exfiltrating data via induction of power lines, water pipes, telephone lines, coaxial cable used for televisions and internet etc.
+
+### Requirements
+
+* All signing systems:
+
+  * MUST have dual implementations of all policy enforcement and signing logic
+  
+  * MUST use two or more unrelated hardware supply chains
+    
+    * Example: Rust on RISC-V Linux on an FPGA vs C on PPC Gemalto enclave
+  
+  * MUST return deterministic results
+    
+    * Results are only exported for chain broadcast if identical
+  
+  * MUST be stored in near zero emissions vaults a single user can't open
+    
+    * See: NSA TEMPEST
+
+  * MUST ensure that individuals are scanned for devices before entering the vault
+  
+  * MUST only communicate with outside world via fiber optic serial terminal
+    - [ ] TODO do we even want this in the facility?
+  
+  * MUST be housed in Class III bank vault or better
+  
+  * MUST have constant environment deviation monitoring
+    
+    * Thermal, Acoustic, Air quality, Optical
+  
+  * MUST destroy key material on significant environment deviations
+
+    * TODO: methods for doing this
+  
+  * MUST be accessible physically with cooperative physical access
+    
+    * MAY use FF-L-2740B or better locks with dual pin enforcement
+    
+    * MAY use dual biometric enforcement to get near area and disarm security

 ## Additional Threat Model Notes