fix: rename to Quorum Key Management (QKM)
This commit is contained in:
parent
8ce53c2b7b
commit
a813634432
GPG Key ID:
44A86CFF1FDF0E85
|
|
@ -1,6 +1,6 @@
|
|||
# Quorum Key Management System (QKMS)
|
||||
# Quorum Key Management (QKM)
|
||||
|
||||
Quorum Key Management System (QKMS) is an open source system of playbooks and tooling which
|
||||
Quorum Key Management (QKM) is an open source system of playbooks and tooling which
|
||||
facilitates the creation and maintenance of highly resilient Quorum-based Key
|
||||
Management Systems based on a strict threat model which can be used for a
|
||||
variety of different cryptographic algorithms.
|
||||
|
|
@ -3,4 +3,4 @@ authors = ["Anton Livaja", "Lance R. Vick", "Ryan Heywood"]
|
|||
language = "en"
|
||||
multilingual = false
|
||||
src = "src"
|
||||
title = "Quorum Key Management System (QKMS)"
|
||||
title = "Quorum Key Management (QKM)"
|
||||
|
|
@ -4,14 +4,14 @@
|
|||
In cryptography, ciphertext is the result of encryption performed on plaintext
|
||||
using an algorithm, called a cipher.
|
||||
|
||||
## Quorum Key Management System (QKMS)
|
||||
## Quorum Key Management (QKM)
|
||||
A set of highly specified processes and tooling used for setting up a highly
|
||||
resilient quorum-based key management system.
|
||||
|
||||
## Operator
|
||||
An individual who manages an [Operator Key](#operator-key) which is used for
|
||||
protecting the passphrase of a Location key and participates in different
|
||||
aspects of the lifecycle management of the QKMS system.
|
||||
aspects of the lifecycle management of the QKM system.
|
||||
|
||||
## Operator Key
|
||||
An asymmetric key used for protecting the passphrase of a Location key
|
||||
|
|
@ -85,7 +85,7 @@ M is the minimum number of shards required to reassemble the secret, and N is th
|
|||
total number of shards that exist. The minimum recommended threshold is 2-of-3.
|
||||
|
||||
## Organization
|
||||
An organization which owns the QKMS and is responsible for funding the setup and
|
||||
An organization which owns the QKM and is responsible for funding the setup and
|
||||
maintenance. The organization is also responsible for ensuring that the
|
||||
[Warehouse](#warehouse) is properly maintained in order to ensure that the
|
||||
ciphertext blobs associated with the system are redundantly stored and
|
||||
|
|
@ -8,7 +8,7 @@ kind of hardware supply chain compromise, has the same vulnerability present, or
|
|||
has the same type of hardware failure issue.
|
||||
|
||||
Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
|
||||
required to set up a [QKMS](glossary.md#quroum-kms-qkms) will
|
||||
required to set up a [QKM](glossary.md#quroum-kms-QKM) will
|
||||
vary. In order to figure out what equipment is required, decide on a Quorum,
|
||||
which is expressed as "N of M". Once you know your M, the required equipment list
|
||||
is the following:
|
||||
|
|
@ -57,7 +57,7 @@ security and verifiable software
|
|||
|
||||
## Air-Gapped Computer
|
||||
[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle management
|
||||
of cryptographic material that is part of QKMS.
|
||||
of cryptographic material that is part of QKM.
|
||||
|
||||
The primary hardware recommendation for a Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
|
||||
firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Hybrid Key Provisioning
|
||||
|
||||
This document contains instructions on how Operators collaborate to set up
|
||||
QKMS where the Operator Keys and Location Keys were generated before this
|
||||
QKM where the Operator Keys and Location Keys were generated before this
|
||||
ceremony and only the PGP Public Certificates of the Location keys are brought
|
||||
to the ceremony which are used to shard the Root Entropy. This is useful
|
||||
when conducting the ceremony in a lower trust environment, and where not all
|
||||
|
Before Width: | Height: | Size: 85 KiB After Width: | Height: | Size: 85 KiB |
|
|
@ -1,13 +1,13 @@
|
|||
# Introduction
|
||||
|
||||
Quorum Key Management System (QKMS) is an open source system of playbooks and
|
||||
Quorum Key Management (QKM) is an open source system of playbooks and
|
||||
tooling which facilitates the creation and maintenance of highly resilient
|
||||
Quorum-based Key Management Systems based on a strict [threat model](threat-model.md)
|
||||
which can be used for a variety of different cryptographic algorithms. The
|
||||
system was designed and developed by [Distrust](https://distrust.co), with the
|
||||
generous support of the following sponsors: TODO.
|
||||
|
||||
The basic premise of QKMS is that primary cryptographic material akin to a root
|
||||
The basic premise of QKM is that primary cryptographic material akin to a root
|
||||
certificate, called Root Entropy, is derived during a secure key derivation
|
||||
ceremony, and then used to derive chosen cryptographic material via different
|
||||
algorithms such as PGP keys, digital asset wallets, web certificates and more.
|
||||
|
|
@ -21,7 +21,7 @@ secret material, namely the Root Entropy.
|
|||
|
||||
## Use Cases
|
||||
|
||||
QKMS can be used for a wide range of use-cases which span but are not limited
|
||||
QKM can be used for a wide range of use-cases which span but are not limited
|
||||
to:
|
||||
|
||||
* Deriving a PGP key pair whose public key can be used as a "one-way deposit
|
||||
|
|
@ -40,7 +40,7 @@ a cold signing setup.
|
|||
|
||||
## Playbooks
|
||||
|
||||
QKMS can be set up by using a set of highly opinionated playbooks which outline
|
||||
QKM can be set up by using a set of highly opinionated playbooks which outline
|
||||
the process. The documentation should be read in its entirety by all
|
||||
participants in the ceremony in order to ensure that the system is well
|
||||
understood by all in order to ensure that the integrity of the process is
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Local Key Provisioning
|
||||
|
||||
This document contains instructions on how Operators collaborate to set up
|
||||
QKMS which requires an N-of-M quorum to be reconstituted. The encrypted shards
|
||||
QKM which requires an N-of-M quorum to be reconstituted. The encrypted shards
|
||||
which result from this ceremony are stored in separate physical
|
||||
[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
|
||||
to which shards are encrypted, and whose passphrases are protected using
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
## Description
|
||||
This ceremony is for generating Location Keys. Location Keys are typically
|
||||
stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
|
||||
Location Keys are keypairs to which the Root Entropy of a QKMS is sharded. The
|
||||
Location Keys are keypairs to which the Root Entropy of a QKM is sharded. The
|
||||
keypairs are stored exclusively on Smart Cards, and the PINs which protect the
|
||||
Smart Cards are encrypted to Operator Keys.
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
# Physical Artifact Storage
|
||||
|
||||
QKMS requires that some of the hardware containing cryptographic material be
|
||||
QKM requires that some of the hardware containing cryptographic material be
|
||||
securely stored in physical locations. The two primary cases where physical
|
||||
storage is necessary are the storage of Location Key Smart Cards, and Operator
|
||||
Key Smart Cards. These Smart Cards are necessary to successfully execute a
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Redundant Storage of Ceremony Artifacts
|
||||
|
||||
Ceremony Artifacts consist of data which is not sensitive in nature, but
|
||||
essential to ongoing operation of a QKMS.
|
||||
essential to ongoing operation of a QKM.
|
||||
|
||||
The primary artifacts which are produced during the ceremony are:
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Quorum Team
|
||||
|
||||
The Quorum Team is a team of individuals who are selected to perform different
|
||||
roles related to a QKMS. Some of the Quorum Team members have ongoing roles,
|
||||
roles related to a QKM. Some of the Quorum Team members have ongoing roles,
|
||||
while others may participate in a partial manner.
|
||||
|
||||
Depending on the type of actions performed, some or all of the members of the
|
||||
|
|
@ -28,7 +28,7 @@ Controllers may be used to protect access to physical locations - according to
|
|||
risk appetite.
|
||||
|
||||
## Witness
|
||||
Witnesses are individuals who are familiar with the QKMS specification, and can
|
||||
Witnesses are individuals who are familiar with the QKM specification, and can
|
||||
ensure that the different aspects of the system are set up correctly, and
|
||||
processes carried out as they should be. The main objective of the witnesses is
|
||||
to monitor and attest that processes such as the ceremonies are done according
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
# Software
|
||||
This page outlines the software used for setting up a QKMS. All software used in
|
||||
This page outlines the software used for setting up a QKM. All software used in
|
||||
the setup is open source and audited by security firms in order to ensure their
|
||||
security. Furthermore, all software is built in a deterministic manner and
|
||||
reproduced by multiple individuals on diverse hardware to minimize the risks
|
||||
|
|
@ -33,6 +33,6 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032
|
|||
seed, which is used for hierarchical deterministic key derivation.
|
||||
|
||||
This software is the backbone for all cryptographic actions performed as part
|
||||
of QKMS. It was developed by [Distrust](https://distrust.co) and is included
|
||||
of QKM. It was developed by [Distrust](https://distrust.co) and is included
|
||||
with AirgapOS and has been audited by two firms, NCC and Cure53 with no
|
||||
significant vulnerabilities found.
|
||||
|
|
@ -1,10 +1,10 @@
|
|||
# Threat Model
|
||||
|
||||
QKMS is designed according to a high-assurance threat model which ers on the
|
||||
QKM is designed according to a high-assurance threat model which ers on the
|
||||
side of making exaggerated, rather than conservative assumptions in order to
|
||||
build a resilient system.
|
||||
|
||||
The assumption is made that attackers who target QKMS are extremely
|
||||
The assumption is made that attackers who target QKM are extremely
|
||||
sophisticated, well funded and patient attackers, and as such, the full arsenal
|
||||
of attacks is on the table. This means that the attacker can purchase and
|
||||
weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
|
||||
|
|
@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's
|
|||
used, or the individuals or locations that hold secret material which is the
|
||||
backbone of the system.
|
||||
|
||||
To achieve this, the QKMS focuses on reducing the risk by:
|
||||
To achieve this, the QKM focuses on reducing the risk by:
|
||||
|
||||
* Only using fully open source software and firmware to allow full verification
|
||||
of their security
|
||||
Loading…
Reference in New Issue