fix: rename to Quorum Key Management (QKM)
This commit is contained in:
parent
8ce53c2b7b
commit
a813634432
GPG Key ID:
44A86CFF1FDF0E85
|
|
@ -1,6 +1,6 @@
|
||||||
# Quorum Key Management System (QKMS)
|
# Quorum Key Management (QKM)
|
||||||
|
|
||||||
Quorum Key Management System (QKMS) is an open source system of playbooks and tooling which
|
Quorum Key Management (QKM) is an open source system of playbooks and tooling which
|
||||||
facilitates the creation and maintenance of highly resilient Quorum-based Key
|
facilitates the creation and maintenance of highly resilient Quorum-based Key
|
||||||
Management Systems based on a strict threat model which can be used for a
|
Management Systems based on a strict threat model which can be used for a
|
||||||
variety of different cryptographic algorithms.
|
variety of different cryptographic algorithms.
|
||||||
|
|
@ -3,4 +3,4 @@ authors = ["Anton Livaja", "Lance R. Vick", "Ryan Heywood"]
|
||||||
language = "en"
|
language = "en"
|
||||||
multilingual = false
|
multilingual = false
|
||||||
src = "src"
|
src = "src"
|
||||||
title = "Quorum Key Management System (QKMS)"
|
title = "Quorum Key Management (QKM)"
|
||||||
|
|
@ -4,14 +4,14 @@
|
||||||
In cryptography, ciphertext is the result of encryption performed on plaintext
|
In cryptography, ciphertext is the result of encryption performed on plaintext
|
||||||
using an algorithm, called a cipher.
|
using an algorithm, called a cipher.
|
||||||
|
|
||||||
## Quorum Key Management System (QKMS)
|
## Quorum Key Management (QKM)
|
||||||
A set of highly specified processes and tooling used for setting up a highly
|
A set of highly specified processes and tooling used for setting up a highly
|
||||||
resilient quorum-based key management system.
|
resilient quorum-based key management system.
|
||||||
|
|
||||||
## Operator
|
## Operator
|
||||||
An individual who manages an [Operator Key](#operator-key) which is used for
|
An individual who manages an [Operator Key](#operator-key) which is used for
|
||||||
protecting the passphrase of a Location key and participates in different
|
protecting the passphrase of a Location key and participates in different
|
||||||
aspects of the lifecycle management of the QKMS system.
|
aspects of the lifecycle management of the QKM system.
|
||||||
|
|
||||||
## Operator Key
|
## Operator Key
|
||||||
An asymmetric key used for protecting the passphrase of a Location key
|
An asymmetric key used for protecting the passphrase of a Location key
|
||||||
|
|
@ -85,7 +85,7 @@ M is the minimum number of shards required to reassemble the secret, and N is th
|
||||||
total number of shards that exist. The minimum recommended threshold is 2-of-3.
|
total number of shards that exist. The minimum recommended threshold is 2-of-3.
|
||||||
|
|
||||||
## Organization
|
## Organization
|
||||||
An organization which owns the QKMS and is responsible for funding the setup and
|
An organization which owns the QKM and is responsible for funding the setup and
|
||||||
maintenance. The organization is also responsible for ensuring that the
|
maintenance. The organization is also responsible for ensuring that the
|
||||||
[Warehouse](#warehouse) is properly maintained in order to ensure that the
|
[Warehouse](#warehouse) is properly maintained in order to ensure that the
|
||||||
ciphertext blobs associated with the system are redundantly stored and
|
ciphertext blobs associated with the system are redundantly stored and
|
||||||
|
|
@ -8,7 +8,7 @@ kind of hardware supply chain compromise, has the same vulnerability present, or
|
||||||
has the same type of hardware failure issue.
|
has the same type of hardware failure issue.
|
||||||
|
|
||||||
Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
|
Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
|
||||||
required to set up a [QKMS](glossary.md#quroum-kms-qkms) will
|
required to set up a [QKM](glossary.md#quroum-kms-QKM) will
|
||||||
vary. In order to figure out what equipment is required, decide on a Quorum,
|
vary. In order to figure out what equipment is required, decide on a Quorum,
|
||||||
which is expressed as "N of M". Once you know your M, the required equipment list
|
which is expressed as "N of M". Once you know your M, the required equipment list
|
||||||
is the following:
|
is the following:
|
||||||
|
|
@ -57,7 +57,7 @@ security and verifiable software
|
||||||
|
|
||||||
## Air-Gapped Computer
|
## Air-Gapped Computer
|
||||||
[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle management
|
[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle management
|
||||||
of cryptographic material that is part of QKMS.
|
of cryptographic material that is part of QKM.
|
||||||
|
|
||||||
The primary hardware recommendation for a Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
|
The primary hardware recommendation for a Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
|
||||||
firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)
|
firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Hybrid Key Provisioning
|
# Hybrid Key Provisioning
|
||||||
|
|
||||||
This document contains instructions on how Operators collaborate to set up
|
This document contains instructions on how Operators collaborate to set up
|
||||||
QKMS where the Operator Keys and Location Keys were generated before this
|
QKM where the Operator Keys and Location Keys were generated before this
|
||||||
ceremony and only the PGP Public Certificates of the Location keys are brought
|
ceremony and only the PGP Public Certificates of the Location keys are brought
|
||||||
to the ceremony which are used to shard the Root Entropy. This is useful
|
to the ceremony which are used to shard the Root Entropy. This is useful
|
||||||
when conducting the ceremony in a lower trust environment, and where not all
|
when conducting the ceremony in a lower trust environment, and where not all
|
||||||
|
Before Width: | Height: | Size: 85 KiB After Width: | Height: | Size: 85 KiB |
|
|
@ -1,13 +1,13 @@
|
||||||
# Introduction
|
# Introduction
|
||||||
|
|
||||||
Quorum Key Management System (QKMS) is an open source system of playbooks and
|
Quorum Key Management (QKM) is an open source system of playbooks and
|
||||||
tooling which facilitates the creation and maintenance of highly resilient
|
tooling which facilitates the creation and maintenance of highly resilient
|
||||||
Quorum-based Key Management Systems based on a strict [threat model](threat-model.md)
|
Quorum-based Key Management Systems based on a strict [threat model](threat-model.md)
|
||||||
which can be used for a variety of different cryptographic algorithms. The
|
which can be used for a variety of different cryptographic algorithms. The
|
||||||
system was designed and developed by [Distrust](https://distrust.co), with the
|
system was designed and developed by [Distrust](https://distrust.co), with the
|
||||||
generous support of the following sponsors: TODO.
|
generous support of the following sponsors: TODO.
|
||||||
|
|
||||||
The basic premise of QKMS is that primary cryptographic material akin to a root
|
The basic premise of QKM is that primary cryptographic material akin to a root
|
||||||
certificate, called Root Entropy, is derived during a secure key derivation
|
certificate, called Root Entropy, is derived during a secure key derivation
|
||||||
ceremony, and then used to derive chosen cryptographic material via different
|
ceremony, and then used to derive chosen cryptographic material via different
|
||||||
algorithms such as PGP keys, digital asset wallets, web certificates and more.
|
algorithms such as PGP keys, digital asset wallets, web certificates and more.
|
||||||
|
|
@ -21,7 +21,7 @@ secret material, namely the Root Entropy.
|
||||||
|
|
||||||
## Use Cases
|
## Use Cases
|
||||||
|
|
||||||
QKMS can be used for a wide range of use-cases which span but are not limited
|
QKM can be used for a wide range of use-cases which span but are not limited
|
||||||
to:
|
to:
|
||||||
|
|
||||||
* Deriving a PGP key pair whose public key can be used as a "one-way deposit
|
* Deriving a PGP key pair whose public key can be used as a "one-way deposit
|
||||||
|
|
@ -40,7 +40,7 @@ a cold signing setup.
|
||||||
|
|
||||||
## Playbooks
|
## Playbooks
|
||||||
|
|
||||||
QKMS can be set up by using a set of highly opinionated playbooks which outline
|
QKM can be set up by using a set of highly opinionated playbooks which outline
|
||||||
the process. The documentation should be read in its entirety by all
|
the process. The documentation should be read in its entirety by all
|
||||||
participants in the ceremony in order to ensure that the system is well
|
participants in the ceremony in order to ensure that the system is well
|
||||||
understood by all in order to ensure that the integrity of the process is
|
understood by all in order to ensure that the integrity of the process is
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Local Key Provisioning
|
# Local Key Provisioning
|
||||||
|
|
||||||
This document contains instructions on how Operators collaborate to set up
|
This document contains instructions on how Operators collaborate to set up
|
||||||
QKMS which requires an N-of-M quorum to be reconstituted. The encrypted shards
|
QKM which requires an N-of-M quorum to be reconstituted. The encrypted shards
|
||||||
which result from this ceremony are stored in separate physical
|
which result from this ceremony are stored in separate physical
|
||||||
[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
|
[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
|
||||||
to which shards are encrypted, and whose passphrases are protected using
|
to which shards are encrypted, and whose passphrases are protected using
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
## Description
|
## Description
|
||||||
This ceremony is for generating Location Keys. Location Keys are typically
|
This ceremony is for generating Location Keys. Location Keys are typically
|
||||||
stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
|
stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
|
||||||
Location Keys are keypairs to which the Root Entropy of a QKMS is sharded. The
|
Location Keys are keypairs to which the Root Entropy of a QKM is sharded. The
|
||||||
keypairs are stored exclusively on Smart Cards, and the PINs which protect the
|
keypairs are stored exclusively on Smart Cards, and the PINs which protect the
|
||||||
Smart Cards are encrypted to Operator Keys.
|
Smart Cards are encrypted to Operator Keys.
|
||||||
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
# Physical Artifact Storage
|
# Physical Artifact Storage
|
||||||
|
|
||||||
QKMS requires that some of the hardware containing cryptographic material be
|
QKM requires that some of the hardware containing cryptographic material be
|
||||||
securely stored in physical locations. The two primary cases where physical
|
securely stored in physical locations. The two primary cases where physical
|
||||||
storage is necessary are the storage of Location Key Smart Cards, and Operator
|
storage is necessary are the storage of Location Key Smart Cards, and Operator
|
||||||
Key Smart Cards. These Smart Cards are necessary to successfully execute a
|
Key Smart Cards. These Smart Cards are necessary to successfully execute a
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Redundant Storage of Ceremony Artifacts
|
# Redundant Storage of Ceremony Artifacts
|
||||||
|
|
||||||
Ceremony Artifacts consist of data which is not sensitive in nature, but
|
Ceremony Artifacts consist of data which is not sensitive in nature, but
|
||||||
essential to ongoing operation of a QKMS.
|
essential to ongoing operation of a QKM.
|
||||||
|
|
||||||
The primary artifacts which are produced during the ceremony are:
|
The primary artifacts which are produced during the ceremony are:
|
||||||
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Quorum Team
|
# Quorum Team
|
||||||
|
|
||||||
The Quorum Team is a team of individuals who are selected to perform different
|
The Quorum Team is a team of individuals who are selected to perform different
|
||||||
roles related to a QKMS. Some of the Quorum Team members have ongoing roles,
|
roles related to a QKM. Some of the Quorum Team members have ongoing roles,
|
||||||
while others may participate in a partial manner.
|
while others may participate in a partial manner.
|
||||||
|
|
||||||
Depending on the type of actions performed, some or all of the members of the
|
Depending on the type of actions performed, some or all of the members of the
|
||||||
|
|
@ -28,7 +28,7 @@ Controllers may be used to protect access to physical locations - according to
|
||||||
risk appetite.
|
risk appetite.
|
||||||
|
|
||||||
## Witness
|
## Witness
|
||||||
Witnesses are individuals who are familiar with the QKMS specification, and can
|
Witnesses are individuals who are familiar with the QKM specification, and can
|
||||||
ensure that the different aspects of the system are set up correctly, and
|
ensure that the different aspects of the system are set up correctly, and
|
||||||
processes carried out as they should be. The main objective of the witnesses is
|
processes carried out as they should be. The main objective of the witnesses is
|
||||||
to monitor and attest that processes such as the ceremonies are done according
|
to monitor and attest that processes such as the ceremonies are done according
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# Software
|
# Software
|
||||||
This page outlines the software used for setting up a QKMS. All software used in
|
This page outlines the software used for setting up a QKM. All software used in
|
||||||
the setup is open source and audited by security firms in order to ensure their
|
the setup is open source and audited by security firms in order to ensure their
|
||||||
security. Furthermore, all software is built in a deterministic manner and
|
security. Furthermore, all software is built in a deterministic manner and
|
||||||
reproduced by multiple individuals on diverse hardware to minimize the risks
|
reproduced by multiple individuals on diverse hardware to minimize the risks
|
||||||
|
|
@ -33,6 +33,6 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032
|
||||||
seed, which is used for hierarchical deterministic key derivation.
|
seed, which is used for hierarchical deterministic key derivation.
|
||||||
|
|
||||||
This software is the backbone for all cryptographic actions performed as part
|
This software is the backbone for all cryptographic actions performed as part
|
||||||
of QKMS. It was developed by [Distrust](https://distrust.co) and is included
|
of QKM. It was developed by [Distrust](https://distrust.co) and is included
|
||||||
with AirgapOS and has been audited by two firms, NCC and Cure53 with no
|
with AirgapOS and has been audited by two firms, NCC and Cure53 with no
|
||||||
significant vulnerabilities found.
|
significant vulnerabilities found.
|
||||||
|
|
@ -1,10 +1,10 @@
|
||||||
# Threat Model
|
# Threat Model
|
||||||
|
|
||||||
QKMS is designed according to a high-assurance threat model which ers on the
|
QKM is designed according to a high-assurance threat model which ers on the
|
||||||
side of making exaggerated, rather than conservative assumptions in order to
|
side of making exaggerated, rather than conservative assumptions in order to
|
||||||
build a resilient system.
|
build a resilient system.
|
||||||
|
|
||||||
The assumption is made that attackers who target QKMS are extremely
|
The assumption is made that attackers who target QKM are extremely
|
||||||
sophisticated, well funded and patient attackers, and as such, the full arsenal
|
sophisticated, well funded and patient attackers, and as such, the full arsenal
|
||||||
of attacks is on the table. This means that the attacker can purchase and
|
of attacks is on the table. This means that the attacker can purchase and
|
||||||
weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
|
weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
|
||||||
|
|
@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's
|
||||||
used, or the individuals or locations that hold secret material which is the
|
used, or the individuals or locations that hold secret material which is the
|
||||||
backbone of the system.
|
backbone of the system.
|
||||||
|
|
||||||
To achieve this, the QKMS focuses on reducing the risk by:
|
To achieve this, the QKM focuses on reducing the risk by:
|
||||||
|
|
||||||
* Only using fully open source software and firmware to allow full verification
|
* Only using fully open source software and firmware to allow full verification
|
||||||
of their security
|
of their security
|
||||||
Loading…
Reference in New Issue