public
/
docs
5
0
Fork 0
Code Issues 15 Pull Requests 1 Packages Projects Releases Wiki Activity

clean up tamper proofing doc

This commit is contained in:
Anton Livaja 2025-01-08 14:06:10 -05:00
parent 0cfdad1d67
commit 8f483fedf3
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
3 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md
View File

@ -11,6 +11,7 @@ The following steps must all be completed under the continued supervision and wi
## Provisioning Equipment ## Provisioning Equipment
// ANCHOR: steps // ANCHOR: steps
1. Selecting a Purchase Location 1. Selecting a Purchase Location
* Select at least 4 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method. This is done in order to reduce the likelihood that a threat actor is able to plant a compromised computer in a store ahead of time. * Select at least 4 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method. This is done in order to reduce the likelihood that a threat actor is able to plant a compromised computer in a store ahead of time.

26
quorum-key-management/src/component-documents/tamper-evidence-methods.md
View File

@ -115,13 +115,15 @@ Sealing bags of standard size objects which need to be protected can fit in. The
1. Insert object into plastic bag 1. Insert object into plastic bag
2. Fill bag with enough plastic beads that all of the object is surrounded 1. Fill bag with enough plastic beads that all of the object is surrounded
3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move 1. Use vacuum sealer to remove air from the bag until the beads are no longer able to move
4. Take photographs of both sides of the sealed object using both the digital and polaroid camera 1. Take photographs of both sides of the sealed object using both the digital and polaroid camera
5. Take the SD card to an online connected device and commit the photographs to a repository, ensuring the commit is signed 1. Date and sign the polaroid photographs and store them in a local lock box
1. Take the SD card to an online connected device and commit the photographs to a repository, ensuring the commit is signed
// ANCHOR_END: vsbwf-procedure-sealing // ANCHOR_END: vsbwf-procedure-sealing
@ -130,11 +132,11 @@ Sealing bags of standard size objects which need to be protected can fit in. The
1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object 1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object
3. Compare polaroid and printed photographs of digital record to the current state of the sealed object 1. Compare polaroid and printed photographs of digital record to the current state of the sealed object
4. Compare polaroid to printed photographs of digital record 1. Compare polaroid to printed photographs of digital record
2. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an [incident response process (todo)](TODO). 1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an [incident response process (todo)](TODO).
// ANCHOR_END: vsbwf-procedure-unsealing // ANCHOR_END: vsbwf-procedure-unsealing
@ -155,15 +157,15 @@ Glitter can be used as an additional control to provide tamper evidence on speci
1. Clean the surface the glitter will be applied to 1. Clean the surface the glitter will be applied to
2. Apply a thin layer of the first type of glitter 1. Apply a thin layer of the first type of glitter
3. Wait for it to dry 1. Wait for it to dry
4. Repeat steps 2, 3 with the different types of glitter being used 1. Repeat steps 2, 3 with the different types of glitter being used
5. Take a photograph of the laptop, preferably using the [tamper proofing station](tamper-evidence-methods#tamper-proofing-station) 1. Take a photograph of the laptop, preferably using the [tamper proofing station](tamper-evidence-methods#tamper-proofing-station)
6. Ensure the SD card is in dual custody until it's uploaded to a repository, and signed by both parties (one creates a PR, the other creates a signed merge using the `git` CLI) 1. Ensure the SD card is in dual custody until it's uploaded to a repository, and signed by both parties (one creates a PR, the other creates a signed merge using the `git` CLI)
#### Verification #### Verification

8
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md
View File

@ -16,9 +16,11 @@ The initial set up requires the provisioner and operator to do all of these in a
* SD Cards: [Provisioning Guide](./provision-sd-card.md) * SD Cards: [Provisioning Guide](./provision-sd-card.md)
* 3 per PGP keypair * 3 per PGP keypair (for backups)
* Designated facility * Designated [facility](./provision-facility.md)
* Sealable plastic bag: {{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }}
## Procedure ## Procedure
@ -50,6 +52,8 @@ The following objects should be in the bundle:
* Airgapped computer * Airgapped computer
#### Procedure
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
1. Create tamper proofed bundle (airgapos, laptop) 1. Create tamper proofed bundle (airgapos, laptop)