refactor portable laptop doc

This commit is contained in:
Anton Livaja 2024-12-10 14:28:02 -05:00
parent fd16079f88
commit 59155cf4c7
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
6 changed files with 130 additions and 51 deletions

View File

@ -1,13 +1,13 @@
# Introduction # Introduction
Quorum Key Management (QKM) is an open source system of playbooks and Quorum Vaulting System (QVM) is an open source system of playbooks and
tooling which facilitates the creation and maintenance of highly resilient tooling which facilitates the creation and maintenance of highly resilient
[quorum](glossary.md#quorum)-based key management systems based on a strict [quorum](glossary.md#quorum)-based key management systems based on a strict
[threat model](threat-model.md) which can be used for a variety of different [threat model](threat-model.md) which can be used for a variety of different
cryptographic algorithms. The system was designed and developed by cryptographic algorithms. The system was designed and developed by
[Distrust](https://distrust.co), with the generous support of sponsors. [Distrust](https://distrust.co), with the generous support of sponsors.
The basic premise of QKM is that primary cryptographic material akin to a root The basic premise of QVS is that primary cryptographic material akin to a root
certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated
during a secure key derivation ceremony, and then used to derive chosen during a secure key derivation ceremony, and then used to derive chosen
cryptographic material via different algorithms such as PGP keys, digital asset cryptographic material via different algorithms such as PGP keys, digital asset
@ -23,7 +23,7 @@ access controls in order to reconstruct the secret material, namely the RE.
## Use Cases ## Use Cases
QKM can be used for a wide range of use-cases which span but are not limited QVS can be used for a wide range of use-cases which span but are not limited
to: to:
* Deriving a PGP key pair whose public key can be used as a "one-way deposit * Deriving a PGP key pair whose public key can be used as a "one-way deposit
@ -42,7 +42,7 @@ a cold signing setup.
## Playbooks ## Playbooks
QKM can be set up by using a set of highly opinionated playbooks which outline QVS can be set up by using a set of highly opinionated playbooks which outline
the process. The base documentation should be read in its entirety by all the process. The base documentation should be read in its entirety by all
participants of the ceremony in order to ensure that the system is well participants of the ceremony in order to ensure that the system is well
understood by all to ensure that the integrity of the process is preserved and understood by all to ensure that the integrity of the process is preserved and

View File

@ -1,4 +1,4 @@
# Location # Locations
Locations refer to physical points in space which are used for storing Locations refer to physical points in space which are used for storing
cryptographic material or performing actions using the cryptographic material and cryptographic material or performing actions using the cryptographic material and
@ -20,11 +20,39 @@ storage of cryptographic material such as Smart Cards which are used to decrypt
[Shards](glossary.md#shard), referred to as a Storage Location, and a location [Shards](glossary.md#shard), referred to as a Storage Location, and a location
for Ceremonies, known as the Ceremony Location. for Ceremonies, known as the Ceremony Location.
The Storage Location has a shorter list of requirements while the Management ## Level 1
and Ceremony locations have a number of additional requirements. The Management
and Ceremony Location may be one and the same.
## All Locations This level of defenses is largely focused on remote attacks, and as such does not have strict requirements about the location.
### Examples
* Personal domicile
* Co-working space
* Regular office (non specific to QVS)
### Reference Design
* SHOULD have ability to control physical access to room
* SHOULD be a space that's randomly selected to minimize the likelihood of an adversary deploying equipment into the location before it's used
## Level 2
This level of defenses is focused on insider threats and as such requires a considerably higher standard as it needs to mitigate threats which stem from individuals who have privileged access.
### Examples
* Purpose specific facility for QVS
* Short term rental
* Hotel room
* Moving vehicle
### Reference Design
* MUST have physical access restrictions which require identification * MUST have physical access restrictions which require identification
@ -38,21 +66,9 @@ and Ceremony Location may be one and the same.
* SHOULD have anti-flood systems * SHOULD have anti-flood systems
* SHOULD be in facilities controlled by organizations which are ideally immune to being legally subpoenaed
## Management & Ceremony Locations ## Level 3
* MUST not have cameras installed
* MUST not have windows with direct line of sight to monitors
* MUST have all walls protected with EM shielding which adheres to the TEMPEST
standard NATO SDIP-27 Level A
* SHOULD be organizations which are ideally immune to being legally subpoenaed
* SHOULD NOT be susceptible to being subpoenaed
## Storage Location
* MUST have anti-fire systems * MUST have anti-fire systems
@ -69,4 +85,13 @@ standard NATO SDIP-27 Level A
collusion unless the organization who owns the QKM system has their own facility such collusion unless the organization who owns the QKM system has their own facility such
as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif). as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
## Level 4 (SCIF)
* MUST not have cameras installed inside of the room
* MUST not have windows with direct line of sight to monitors
* MUST have all walls protected with EM shielding which adheres to the TEMPEST
standard NATO SDIP-27 Level A
* SHOULD have seismic detectors * SHOULD have seismic detectors

View File

@ -1,30 +1,72 @@
# Portable Reusable Laptop Ceremony # Portable Reusable Laptop Ceremony
This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses. ## Security Level
This type of device setup offers reduced security compared to using a a [fixed location](fixed-location-reusable-laptop-ceremony.md) setup, as this type of setup offers additional controls which mitigate attacks. This process offers a Level 2 security mitigation, focusing on defending against remote adversaries and insider threats.
1. Procure a laptop set up for portable use. ## Requirements
* Polaroid of the laptop tamper evidence should be carried on person at all times ### Roles
* Polaroid and digital camera are also required This setup does require the support of all [system roles](system-roles.md).
* Vacuum sealer, and plastic beads will be necessary in order to be able to re-seal the laptop after use. (Refer to the tamper evidence methods document for the [filler](tamper-evidence-methods.md#adequate-filler) and [vacuum sealers](tamper-evidence-methods.md#vacuum-sealers)) * MUST use at least 1 [Proposer](system-roles.md#proposer)
2. The laptop SHOULD be kept on the person at all times * MUST use at least 1 [Approver](system-roles.md#approver) different from Proposer
* MUST have at least 2 [Witnesses](system-roles.md#witness)
* MUST have at least 1 [Operator](system-roles.md#operator)
### Location
To conform to [Level 2](threat-model.md#level-2) security properties a location must be used according to the [Locations](locations.md) specification.
### Equipment
* Laptop procured according to [Hardware Procurement](hardware-procurement-and-chain-of-custody.md) guide
* Polaroid camera + pack of polaroid film
- [] TODO update tamper rpoofing doc with polaroid camera models and film
* Digital camera
- [ ] TODO add recommendations
* 10 SD cards
- [ ] TODO add which
* [Vacuum sealer](tamper-evidence-methods.md#vacuum-sealers)
* [Vacuum sealer roll](tamper-evidence-methods.md#vacuum-sealers)
* Tamper evidence photographs:
* Printed digital photos
* Polaroid photos
## Procedure
1. The laptop and all hardware used SHOULD be kept on the person at all times
* MAY leave the laptop in a safe * MAY leave the laptop in a safe
* MAY (but not recommended) leave the laptop with full time supervision (such as bellhop) * MAY (but not recommended) leave the laptop with full time supervision (such as bellhop)
3. Select a secure [location]() 2. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony.
4. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony. 3. Before starting the ceremony ensure that at least 1 Operator and 1 Witness are present
5. Unseal the laptop using the [Unsealing Procedure](tamper-evidence-methods.md#procedure) 4. Verify that the request from the Proposer is properly approved by an Approver
### Unsealing
{{ #include tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
### Perform Operations
6. Follow a [playbook](TODO) 6. Follow a [playbook](TODO)
7. Once the ceremony is over use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to seal the laptop.
### Sealing
{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing}}

View File

@ -1,6 +1,6 @@
# System Roles # System Roles
There are several roles which are required to properly operate the QKM system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QKM. At least 2 individuals are required for [level 2](threat-model.md#adversary-1). There are several roles which are required to properly operate the QVS system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QVS. At least 2 individuals are required for [level 2](threat-model.md#adversary-1).
To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum. To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum.
@ -14,19 +14,22 @@ Individuals who are selected for the roles:
* MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information * MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information
## Proposer
## Operator This is an individual who is a business owner or stakeholder, or a financial controller. Their role is to make fiduciary decisions which protect the financial interest of the organization and its clients. Their role is specifically to propose the movement of funds, specifying the amount, origin and destination.
Trained on how the QKM system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system.
Operators conduct ceremonies and ensure that the controls around the QKM system are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QKM system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more.
As a QKM grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns.
## Approver ## Approver
This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QKM system but related decision making may be under the purview of an Approver - for example what amount of digital assets to transfer and where. This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QVS system but related decision making may be under the purview of an Approver. While there is 1 proposer per transaction, there may be an arbitrary number of Approvers, and they are required to sign proposed transactions according to a [policy](todo) which should be well defined.
## Operator
Trained on how the QVS(todo) system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system.
Operators conduct ceremonies and ensure that the controls around QVS are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QVS system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more.
As a QVS grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns.
## Witness ## Witness
QKM relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QKM system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred. QVS relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QVS system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred.

View File

@ -118,11 +118,11 @@ Sealing bags of standard size objects which need to be protected can fit in. The
4. Use the [Tamper Proofing Station](tamper-evidence-methods#tamper-proofing-station) to take a photograph of both sides of the sealed object using both the digital and polaroid camera 4. Use the [Tamper Proofing Station](tamper-evidence-methods#tamper-proofing-station) to take a photograph of both sides of the sealed object using both the digital and polaroid camera
5. Take the SD card to an online connected device and commit the photograph to a repository, ensuring the commit is signed 5. Take the SD card to an online connected device and commit the photographs to a repository, ensuring the commit is signed
// ANCHOR_END: vsbwf-procedure-sealing // ANCHOR_END: vsbwf-procedure-sealing
// ANCHOR: vsbwf-procedure-unsealing
#### Unsealing #### Unsealing
// ANCHOR: vsbwf-procedure-unsealing
1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator 1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator

View File

@ -1,10 +1,10 @@
# Threat Model # Threat Model
QKM is designed according to a high-assurance threat model which ers on the QVS is designed according to a high-assurance threat model which ers on the
side of making exaggerated, rather than conservative assumptions in order to side of making exaggerated, rather than conservative assumptions in order to
build a resilient system. build a resilient system.
The assumption is made that attackers who target QKM are extremely The assumption is made that attackers who target QVS are extremely
sophisticated, well funded and patient attackers, and as such, the full arsenal sophisticated, well funded and patient attackers, and as such, the full arsenal
of attacks is on the table. This means that the attacker can purchase and of attacks is on the table. This means that the attacker can purchase and
weaponize multiple 0day vulnerabilities, execute physical attacks or deploy weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's
used, or the individuals or locations that hold secret material which is the used, or the individuals or locations that hold secret material which is the
backbone of the system. backbone of the system.
To achieve this, the QKM focuses on reducing the risk by: To achieve this, the QVS focuses on reducing the risk by:
* Only using fully open source software and firmware to allow full verification * Only using fully open source software and firmware to allow full verification
of their security properties of their security properties
@ -66,7 +66,7 @@ Some additional assumptions are made to help contextualize the threat model:
## Threat Model Levels ## Threat Model Levels
Different threat model levels allow an organization to start benefiting from the security properties of the QKM system immediately, with a clear path to upgrading over time as resources and time become available. Different threat model levels allow an organization to start benefiting from the security properties of the QVS system immediately, with a clear path to upgrading over time as resources and time become available.
Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein. Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein.
@ -75,8 +75,11 @@ Each subsequent level assumes all threats and mitigations from the previous leve
### Threat Model ### Threat Model
#### Adversary #### Adversary
Low skilled individual targeting many organizations. This implies the adversary is not highly focused on compromising a specific organization, and relies on less sophisticated strategies. Low skilled individual targeting many organizations. This implies the adversary is not highly focused on compromising a specific organization, and relies on less sophisticated strategies.
This level focuses on defending against remote adversaries.
#### Attacks #### Attacks
* Using phishing to steal data from a random set of custodian end users * Using phishing to steal data from a random set of custodian end users
@ -123,6 +126,8 @@ Low skilled individual targeting many organizations. This implies the adversary
Adversary is a skilled and resourceful individual targeting one organization. This type of attacker uses a combination of widely used cyber weapons, OSINT, social engineering (spear phishing), exploiting vulnerabilities, MitM attacks. Adversary is a skilled and resourceful individual targeting one organization. This type of attacker uses a combination of widely used cyber weapons, OSINT, social engineering (spear phishing), exploiting vulnerabilities, MitM attacks.
This level focuses on defending against insider threats.
#### Attacks #### Attacks
* Compromise one team member with privileged access * Compromise one team member with privileged access
@ -290,6 +295,8 @@ Adversary is a skilled and resourceful individual targeting one organization. Th
#### Adversary #### Adversary
Adversary is an organized group with significant funding. These groups consist of individuals with different skill sets and often have access to significant funds, drastically expanding their attack capabilities. Adversary is an organized group with significant funding. These groups consist of individuals with different skill sets and often have access to significant funds, drastically expanding their attack capabilities.
This level focuses on defending against adversaries who succeeded in local compromise.
#### Attacks #### Attacks
* Compromise one data center engineer into tampering with a target system * Compromise one data center engineer into tampering with a target system
@ -320,6 +327,8 @@ Adversary is an organized group with significant funding. These groups consist o
Adversary is a state actor. State actors are the best funded and most sophisticated attackers. They are the highest known threat and have the ability to execute all known attacks. Their well funded operations allow them to pursue goals over long periods of time, relying on subversion, false flags, insider threats via planting moles, compromise of hardware supply and software supply chains, the use of advanced non-commercially available cyber-warfare tools, combining many 0day vulnerabilities to construct highly effective exploit chain. This level of adversary demands the highest known standards of security, which is typically upheld only by the most sophisticated companies and the military. Adversary is a state actor. State actors are the best funded and most sophisticated attackers. They are the highest known threat and have the ability to execute all known attacks. Their well funded operations allow them to pursue goals over long periods of time, relying on subversion, false flags, insider threats via planting moles, compromise of hardware supply and software supply chains, the use of advanced non-commercially available cyber-warfare tools, combining many 0day vulnerabilities to construct highly effective exploit chain. This level of adversary demands the highest known standards of security, which is typically upheld only by the most sophisticated companies and the military.
This level focuses on defending against adversaries who are nation states.
#### Attacks #### Attacks
* Tamper with the supply chain of any single hardware/firmware component * Tamper with the supply chain of any single hardware/firmware component