From 9c33166409dd6c3acadb3affea44078edd05f7f2 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 27 Nov 2024 15:46:34 -0500 Subject: [PATCH] minor updates --- .../src/tamper-evidence-methods.md | 30 ++++++++++--------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/tamper-evidence-methods.md index 29ba307..51ec39a 100644 --- a/quorum-key-management/src/tamper-evidence-methods.md +++ b/quorum-key-management/src/tamper-evidence-methods.md @@ -1,6 +1,6 @@ # Tamper Evidence Methods -There are different methods which can be used to ensure that objects have not been tampered between uses. This is especially relevant for equipment such as laptops. Each method comes with tradeoffs, and in the context of high assurance security it is instrumental to understand the tradeoffs in order to achieve an adequate level of confidence that supplies such as computers used for high risk operations retain their integrity. +There are different methods which can be used to ensure that objects have not been tampered between uses. This is especially relevant for equipment such as laptops. Each method comes with tradeoffs, and in the context of high assurance security it is instrumental to understand the tradeoffs in order to achieve an adequate level of confidence that supplies such as computers used for high risk operations retain their integrity. There are a number of common methods which appear to provide a reasonable level of tamper evidence, but in fact do not. It is worth noting a few examples of these such as using tamper evident tape, or even glitter if done improperly. This document will focus on illustrating adequate methods, rather than enumerating ones that are inadequate. @@ -20,27 +20,29 @@ There are three reasonably secure methods which have been identified and are exp * Glitter on screws -* Heads / Pureboot for secure boot +* Heads / Pureboot for secure boot ## Vacuum Sealed Bags With Filler -One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the colored objects around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again. +One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the colored objects around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again. ### Threat Model There are no known attacks for this type of tamper proofing method when executed properly. The main sources of risk stem from consistent and repeatable photography and comparison of photographs to ensure that any changes can be detected. +If photographs are not cryptographically signed, they can also be manipulated and/or replaced which could result in the compromise of the system as well. + The reason this method is effective is because unlike with many other methods that tamper proof a specific part of an object, such as applying glitter to screws which leaves device ports exposed, or using cryptographic signing to verify the hardware has not been modified, still leaving the door to physical modifications, vacuum sealing with colored filler encases the entire object in a tamper evident manner. ### Adequate Filler -To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. +To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. They may be made of different materials as well. ### Additional Considerations * This strategy may be layered, for example if one chooses to apply it to a hardware token, the sealed hardware token can be placed inside of a bigger bag, along with a laptop. -* A similar method can be used but with a bin that the object is placed into. The main disadvantage here is that this type of tamper proofing is not resistant to seismic activity, air movement, or other sourced of vibration which could shift filler around. +* A similar method can be used but with a bin filled with filler that the object is placed into. The main disadvantage here is that this type of tamper proofing is not resistant to seismic activity, air movement, or other sourced of vibration which could shift filler around. ### Procedure @@ -59,7 +61,7 @@ To achieve the best level of randomness and difficulty of reproducing the arrang 5. Take the SD card to an online connected device and commit the photograph to a repository, ensuring the commit is signed #### Unsealing -1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator +1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator 2. Use the photographs and compare them to the sealed object, ensuring the arrangement of the filler in the sealed bag is the same on both sides of the object 3. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process. @@ -77,13 +79,13 @@ Glitter can be used as an additional control to provide tamper evidence on speci 1. Clean the surface the glitter will be applied to -2. Apply a thin layer of the first type of glitter +2. Apply a thin layer of the first type of glitter 3. Wait for it to dry 4. Repeat steps 2, 3 with the different types of glitter being used -5. Take a photograph of the laptop, preferably using the [tamper proofing station](TODO) +5. Take a photograph of the laptop, preferably using the [tamper proofing station](TODO) #### Verification @@ -96,7 +98,7 @@ To verify that the seal has not been tampered, compare the glitter arrangement t This tamper proofing method is designed to protect the secure boot process of a computer. It does not protect the computer from physical tampering which can be used to ad ### Procedure - + Refer to the [PureBoot Setup](./enable-pure-boot-restricted-boot.md) document ## Tamper Proofing Station @@ -107,17 +109,17 @@ The Tamper Proofing Station is a simple structure used to make it easy to take p To construct an appropriate Tamper Proofing Station, the simplest setup consists of: -* Overhead camera mounting rig +* Overhead camera mounting rig * Powerful LED light which can be attached to the mounting rig * Camera which does not have radio cards in it and - * Has >10MP + * Has >10MP * Uses SD cards for storing photographs * Polaroid camera which can be attached to the mounting rig -Pick a location for the station, and attach the LED light and the camera to the overhead camera mounting rig. Set up the camera so that when it's turned on, a 14" laptop is perfectly framed without having to zoom in or out if possible. +Pick a location for the station, and attach the LED light and the camera to the overhead camera mounting rig. Set up the camera so that when it's turned on, a 14" laptop is perfectly framed without having to zoom in or out if possible. @@ -141,7 +143,7 @@ This type of device is essentially just a "One Time Use" device, with the added ### Fixed Location Device -This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls. +This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls. The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does. * TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops @@ -162,7 +164,7 @@ If at any moment one of the individual has to leave, the Sealing procedure shoul ##### Unsealing * TODO (before entering room review monitoring video / audio to see if there was intrusion) -1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility +1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility 2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used 3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions 4. Check the screws on the bottom of the laptop to ensure that they have not been removed