From 59155cf4c75bd9a1f08f6cd1e6183a91e4f7be0d Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Tue, 10 Dec 2024 14:28:02 -0500 Subject: [PATCH] refactor portable laptop doc --- quorum-key-management/src/intro.md | 8 +-- quorum-key-management/src/locations.md | 65 +++++++++++++------ .../src/portable-reusable-laptop-ceremony.md | 64 ++++++++++++++---- quorum-key-management/src/system-roles.md | 23 ++++--- .../src/tamper-evidence-methods.md | 4 +- quorum-key-management/src/threat-model.md | 17 +++-- 6 files changed, 130 insertions(+), 51 deletions(-) diff --git a/quorum-key-management/src/intro.md b/quorum-key-management/src/intro.md index 1b5c661..5393ef4 100644 --- a/quorum-key-management/src/intro.md +++ b/quorum-key-management/src/intro.md @@ -1,13 +1,13 @@ # Introduction -Quorum Key Management (QKM) is an open source system of playbooks and +Quorum Vaulting System (QVM) is an open source system of playbooks and tooling which facilitates the creation and maintenance of highly resilient [quorum](glossary.md#quorum)-based key management systems based on a strict [threat model](threat-model.md) which can be used for a variety of different cryptographic algorithms. The system was designed and developed by [Distrust](https://distrust.co), with the generous support of sponsors. -The basic premise of QKM is that primary cryptographic material akin to a root +The basic premise of QVS is that primary cryptographic material akin to a root certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated during a secure key derivation ceremony, and then used to derive chosen cryptographic material via different algorithms such as PGP keys, digital asset @@ -23,7 +23,7 @@ access controls in order to reconstruct the secret material, namely the RE. ## Use Cases -QKM can be used for a wide range of use-cases which span but are not limited +QVS can be used for a wide range of use-cases which span but are not limited to: * Deriving a PGP key pair whose public key can be used as a "one-way deposit @@ -42,7 +42,7 @@ a cold signing setup. ## Playbooks -QKM can be set up by using a set of highly opinionated playbooks which outline +QVS can be set up by using a set of highly opinionated playbooks which outline the process. The base documentation should be read in its entirety by all participants of the ceremony in order to ensure that the system is well understood by all to ensure that the integrity of the process is preserved and diff --git a/quorum-key-management/src/locations.md b/quorum-key-management/src/locations.md index 4c982ef..49cb6f6 100644 --- a/quorum-key-management/src/locations.md +++ b/quorum-key-management/src/locations.md @@ -1,4 +1,4 @@ -# Location +# Locations Locations refer to physical points in space which are used for storing cryptographic material or performing actions using the cryptographic material and @@ -20,11 +20,39 @@ storage of cryptographic material such as Smart Cards which are used to decrypt [Shards](glossary.md#shard), referred to as a Storage Location, and a location for Ceremonies, known as the Ceremony Location. -The Storage Location has a shorter list of requirements while the Management -and Ceremony locations have a number of additional requirements. The Management -and Ceremony Location may be one and the same. +## Level 1 -## All Locations +This level of defenses is largely focused on remote attacks, and as such does not have strict requirements about the location. + +### Examples + +* Personal domicile + +* Co-working space + +* Regular office (non specific to QVS) + +### Reference Design + +* SHOULD have ability to control physical access to room + +* SHOULD be a space that's randomly selected to minimize the likelihood of an adversary deploying equipment into the location before it's used + +## Level 2 + +This level of defenses is focused on insider threats and as such requires a considerably higher standard as it needs to mitigate threats which stem from individuals who have privileged access. + +### Examples + +* Purpose specific facility for QVS + +* Short term rental + +* Hotel room + +* Moving vehicle + +### Reference Design * MUST have physical access restrictions which require identification @@ -38,21 +66,9 @@ and Ceremony Location may be one and the same. * SHOULD have anti-flood systems +* SHOULD be in facilities controlled by organizations which are ideally immune to being legally subpoenaed -## Management & Ceremony Locations - -* MUST not have cameras installed - -* MUST not have windows with direct line of sight to monitors - -* MUST have all walls protected with EM shielding which adheres to the TEMPEST -standard NATO SDIP-27 Level A - -* SHOULD be organizations which are ideally immune to being legally subpoenaed - -* SHOULD NOT be susceptible to being subpoenaed - -## Storage Location +## Level 3 * MUST have anti-fire systems @@ -69,4 +85,13 @@ standard NATO SDIP-27 Level A collusion unless the organization who owns the QKM system has their own facility such as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif). -* SHOULD have seismic detectors +## Level 4 (SCIF) + +* MUST not have cameras installed inside of the room + +* MUST not have windows with direct line of sight to monitors + +* MUST have all walls protected with EM shielding which adheres to the TEMPEST +standard NATO SDIP-27 Level A + +* SHOULD have seismic detectors \ No newline at end of file diff --git a/quorum-key-management/src/portable-reusable-laptop-ceremony.md b/quorum-key-management/src/portable-reusable-laptop-ceremony.md index 923cf6c..9a5d386 100644 --- a/quorum-key-management/src/portable-reusable-laptop-ceremony.md +++ b/quorum-key-management/src/portable-reusable-laptop-ceremony.md @@ -1,30 +1,72 @@ # Portable Reusable Laptop Ceremony -This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses. +## Security Level -This type of device setup offers reduced security compared to using a a [fixed location](fixed-location-reusable-laptop-ceremony.md) setup, as this type of setup offers additional controls which mitigate attacks. +This process offers a Level 2 security mitigation, focusing on defending against remote adversaries and insider threats. -1. Procure a laptop set up for portable use. +## Requirements - * Polaroid of the laptop tamper evidence should be carried on person at all times +### Roles - * Polaroid and digital camera are also required +This setup does require the support of all [system roles](system-roles.md). - * Vacuum sealer, and plastic beads will be necessary in order to be able to re-seal the laptop after use. (Refer to the tamper evidence methods document for the [filler](tamper-evidence-methods.md#adequate-filler) and [vacuum sealers](tamper-evidence-methods.md#vacuum-sealers)) +* MUST use at least 1 [Proposer](system-roles.md#proposer) -2. The laptop SHOULD be kept on the person at all times +* MUST use at least 1 [Approver](system-roles.md#approver) different from Proposer + +* MUST have at least 2 [Witnesses](system-roles.md#witness) + +* MUST have at least 1 [Operator](system-roles.md#operator) + +### Location + +To conform to [Level 2](threat-model.md#level-2) security properties a location must be used according to the [Locations](locations.md) specification. + +### Equipment + +* Laptop procured according to [Hardware Procurement](hardware-procurement-and-chain-of-custody.md) guide + +* Polaroid camera + pack of polaroid film + - [] TODO update tamper rpoofing doc with polaroid camera models and film + +* Digital camera + - [ ] TODO add recommendations + +* 10 SD cards + - [ ] TODO add which + +* [Vacuum sealer](tamper-evidence-methods.md#vacuum-sealers) + +* [Vacuum sealer roll](tamper-evidence-methods.md#vacuum-sealers) + +* Tamper evidence photographs: + + * Printed digital photos + + * Polaroid photos + +## Procedure + +1. The laptop and all hardware used SHOULD be kept on the person at all times * MAY leave the laptop in a safe * MAY (but not recommended) leave the laptop with full time supervision (such as bellhop) -3. Select a secure [location]() +2. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony. -4. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony. +3. Before starting the ceremony ensure that at least 1 Operator and 1 Witness are present -5. Unseal the laptop using the [Unsealing Procedure](tamper-evidence-methods.md#procedure) +4. Verify that the request from the Proposer is properly approved by an Approver + +### Unsealing +{{ #include tamper-evidence-methods.md:vsbwf-procedure-unsealing}} + +### Perform Operations 6. Follow a [playbook](TODO) -7. Once the ceremony is over use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to seal the laptop. + +### Sealing +{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing}} diff --git a/quorum-key-management/src/system-roles.md b/quorum-key-management/src/system-roles.md index 8c9b86b..8327b1d 100644 --- a/quorum-key-management/src/system-roles.md +++ b/quorum-key-management/src/system-roles.md @@ -1,6 +1,6 @@ # System Roles -There are several roles which are required to properly operate the QKM system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QKM. At least 2 individuals are required for [level 2](threat-model.md#adversary-1). +There are several roles which are required to properly operate the QVS system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QVS. At least 2 individuals are required for [level 2](threat-model.md#adversary-1). To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum. @@ -14,19 +14,22 @@ Individuals who are selected for the roles: * MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information +## Proposer -## Operator - -Trained on how the QKM system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system. - -Operators conduct ceremonies and ensure that the controls around the QKM system are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QKM system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more. - -As a QKM grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns. +This is an individual who is a business owner or stakeholder, or a financial controller. Their role is to make fiduciary decisions which protect the financial interest of the organization and its clients. Their role is specifically to propose the movement of funds, specifying the amount, origin and destination. ## Approver -This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QKM system but related decision making may be under the purview of an Approver - for example what amount of digital assets to transfer and where. +This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QVS system but related decision making may be under the purview of an Approver. While there is 1 proposer per transaction, there may be an arbitrary number of Approvers, and they are required to sign proposed transactions according to a [policy](todo) which should be well defined. + +## Operator + +Trained on how the QVS(todo) system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system. + +Operators conduct ceremonies and ensure that the controls around QVS are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QVS system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more. + +As a QVS grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns. ## Witness -QKM relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QKM system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred. \ No newline at end of file +QVS relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QVS system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred. \ No newline at end of file diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/tamper-evidence-methods.md index 965e680..0ca2f98 100644 --- a/quorum-key-management/src/tamper-evidence-methods.md +++ b/quorum-key-management/src/tamper-evidence-methods.md @@ -118,11 +118,11 @@ Sealing bags of standard size objects which need to be protected can fit in. The 4. Use the [Tamper Proofing Station](tamper-evidence-methods#tamper-proofing-station) to take a photograph of both sides of the sealed object using both the digital and polaroid camera -5. Take the SD card to an online connected device and commit the photograph to a repository, ensuring the commit is signed +5. Take the SD card to an online connected device and commit the photographs to a repository, ensuring the commit is signed // ANCHOR_END: vsbwf-procedure-sealing -// ANCHOR: vsbwf-procedure-unsealing #### Unsealing +// ANCHOR: vsbwf-procedure-unsealing 1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator diff --git a/quorum-key-management/src/threat-model.md b/quorum-key-management/src/threat-model.md index 579587e..c54206d 100644 --- a/quorum-key-management/src/threat-model.md +++ b/quorum-key-management/src/threat-model.md @@ -1,10 +1,10 @@ # Threat Model -QKM is designed according to a high-assurance threat model which ers on the +QVS is designed according to a high-assurance threat model which ers on the side of making exaggerated, rather than conservative assumptions in order to build a resilient system. -The assumption is made that attackers who target QKM are extremely +The assumption is made that attackers who target QVS are extremely sophisticated, well funded and patient attackers, and as such, the full arsenal of attacks is on the table. This means that the attacker can purchase and weaponize multiple 0day vulnerabilities, execute physical attacks or deploy @@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's used, or the individuals or locations that hold secret material which is the backbone of the system. -To achieve this, the QKM focuses on reducing the risk by: +To achieve this, the QVS focuses on reducing the risk by: * Only using fully open source software and firmware to allow full verification of their security properties @@ -66,7 +66,7 @@ Some additional assumptions are made to help contextualize the threat model: ## Threat Model Levels -Different threat model levels allow an organization to start benefiting from the security properties of the QKM system immediately, with a clear path to upgrading over time as resources and time become available. +Different threat model levels allow an organization to start benefiting from the security properties of the QVS system immediately, with a clear path to upgrading over time as resources and time become available. Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein. @@ -75,8 +75,11 @@ Each subsequent level assumes all threats and mitigations from the previous leve ### Threat Model #### Adversary + Low skilled individual targeting many organizations. This implies the adversary is not highly focused on compromising a specific organization, and relies on less sophisticated strategies. +This level focuses on defending against remote adversaries. + #### Attacks * Using phishing to steal data from a random set of custodian end users @@ -123,6 +126,8 @@ Low skilled individual targeting many organizations. This implies the adversary Adversary is a skilled and resourceful individual targeting one organization. This type of attacker uses a combination of widely used cyber weapons, OSINT, social engineering (spear phishing), exploiting vulnerabilities, MitM attacks. +This level focuses on defending against insider threats. + #### Attacks * Compromise one team member with privileged access @@ -290,6 +295,8 @@ Adversary is a skilled and resourceful individual targeting one organization. Th #### Adversary Adversary is an organized group with significant funding. These groups consist of individuals with different skill sets and often have access to significant funds, drastically expanding their attack capabilities. +This level focuses on defending against adversaries who succeeded in local compromise. + #### Attacks * Compromise one data center engineer into tampering with a target system @@ -320,6 +327,8 @@ Adversary is an organized group with significant funding. These groups consist o Adversary is a state actor. State actors are the best funded and most sophisticated attackers. They are the highest known threat and have the ability to execute all known attacks. Their well funded operations allow them to pursue goals over long periods of time, relying on subversion, false flags, insider threats via planting moles, compromise of hardware supply and software supply chains, the use of advanced non-commercially available cyber-warfare tools, combining many 0day vulnerabilities to construct highly effective exploit chain. This level of adversary demands the highest known standards of security, which is typically upheld only by the most sophisticated companies and the military. +This level focuses on defending against adversaries who are nation states. + #### Attacks * Tamper with the supply chain of any single hardware/firmware component