fix: rename to Quorum Key Management (QKM)

This commit is contained in:
Anton Livaja 2024-08-03 19:02:38 -04:00
parent 8ce53c2b7b
commit a813634432
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
36 changed files with 24 additions and 24 deletions

View File

@ -1,6 +1,6 @@
# Quorum Key Management System (QKMS) # Quorum Key Management (QKM)
Quorum Key Management System (QKMS) is an open source system of playbooks and tooling which Quorum Key Management (QKM) is an open source system of playbooks and tooling which
facilitates the creation and maintenance of highly resilient Quorum-based Key facilitates the creation and maintenance of highly resilient Quorum-based Key
Management Systems based on a strict threat model which can be used for a Management Systems based on a strict threat model which can be used for a
variety of different cryptographic algorithms. variety of different cryptographic algorithms.

View File

@ -3,4 +3,4 @@ authors = ["Anton Livaja", "Lance R. Vick", "Ryan Heywood"]
language = "en" language = "en"
multilingual = false multilingual = false
src = "src" src = "src"
title = "Quorum Key Management System (QKMS)" title = "Quorum Key Management (QKM)"

View File

@ -4,14 +4,14 @@
In cryptography, ciphertext is the result of encryption performed on plaintext In cryptography, ciphertext is the result of encryption performed on plaintext
using an algorithm, called a cipher. using an algorithm, called a cipher.
## Quorum Key Management System (QKMS) ## Quorum Key Management (QKM)
A set of highly specified processes and tooling used for setting up a highly A set of highly specified processes and tooling used for setting up a highly
resilient quorum-based key management system. resilient quorum-based key management system.
## Operator ## Operator
An individual who manages an [Operator Key](#operator-key) which is used for An individual who manages an [Operator Key](#operator-key) which is used for
protecting the passphrase of a Location key and participates in different protecting the passphrase of a Location key and participates in different
aspects of the lifecycle management of the QKMS system. aspects of the lifecycle management of the QKM system.
## Operator Key ## Operator Key
An asymmetric key used for protecting the passphrase of a Location key An asymmetric key used for protecting the passphrase of a Location key
@ -85,7 +85,7 @@ M is the minimum number of shards required to reassemble the secret, and N is th
total number of shards that exist. The minimum recommended threshold is 2-of-3. total number of shards that exist. The minimum recommended threshold is 2-of-3.
## Organization ## Organization
An organization which owns the QKMS and is responsible for funding the setup and An organization which owns the QKM and is responsible for funding the setup and
maintenance. The organization is also responsible for ensuring that the maintenance. The organization is also responsible for ensuring that the
[Warehouse](#warehouse) is properly maintained in order to ensure that the [Warehouse](#warehouse) is properly maintained in order to ensure that the
ciphertext blobs associated with the system are redundantly stored and ciphertext blobs associated with the system are redundantly stored and

View File

@ -8,7 +8,7 @@ kind of hardware supply chain compromise, has the same vulnerability present, or
has the same type of hardware failure issue. has the same type of hardware failure issue.
Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
required to set up a [QKMS](glossary.md#quroum-kms-qkms) will required to set up a [QKM](glossary.md#quroum-kms-QKM) will
vary. In order to figure out what equipment is required, decide on a Quorum, vary. In order to figure out what equipment is required, decide on a Quorum,
which is expressed as "N of M". Once you know your M, the required equipment list which is expressed as "N of M". Once you know your M, the required equipment list
is the following: is the following:
@ -57,7 +57,7 @@ security and verifiable software
## Air-Gapped Computer ## Air-Gapped Computer
[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle management [Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle management
of cryptographic material that is part of QKMS. of cryptographic material that is part of QKM.
The primary hardware recommendation for a Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and The primary hardware recommendation for a Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html) firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)

View File

@ -1,7 +1,7 @@
# Hybrid Key Provisioning # Hybrid Key Provisioning
This document contains instructions on how Operators collaborate to set up This document contains instructions on how Operators collaborate to set up
QKMS where the Operator Keys and Location Keys were generated before this QKM where the Operator Keys and Location Keys were generated before this
ceremony and only the PGP Public Certificates of the Location keys are brought ceremony and only the PGP Public Certificates of the Location keys are brought
to the ceremony which are used to shard the Root Entropy. This is useful to the ceremony which are used to shard the Root Entropy. This is useful
when conducting the ceremony in a lower trust environment, and where not all when conducting the ceremony in a lower trust environment, and where not all

View File

Before

Width:  |  Height:  |  Size: 85 KiB

After

Width:  |  Height:  |  Size: 85 KiB

View File

@ -1,13 +1,13 @@
# Introduction # Introduction
Quorum Key Management System (QKMS) is an open source system of playbooks and Quorum Key Management (QKM) is an open source system of playbooks and
tooling which facilitates the creation and maintenance of highly resilient tooling which facilitates the creation and maintenance of highly resilient
Quorum-based Key Management Systems based on a strict [threat model](threat-model.md) Quorum-based Key Management Systems based on a strict [threat model](threat-model.md)
which can be used for a variety of different cryptographic algorithms. The which can be used for a variety of different cryptographic algorithms. The
system was designed and developed by [Distrust](https://distrust.co), with the system was designed and developed by [Distrust](https://distrust.co), with the
generous support of the following sponsors: TODO. generous support of the following sponsors: TODO.
The basic premise of QKMS is that primary cryptographic material akin to a root The basic premise of QKM is that primary cryptographic material akin to a root
certificate, called Root Entropy, is derived during a secure key derivation certificate, called Root Entropy, is derived during a secure key derivation
ceremony, and then used to derive chosen cryptographic material via different ceremony, and then used to derive chosen cryptographic material via different
algorithms such as PGP keys, digital asset wallets, web certificates and more. algorithms such as PGP keys, digital asset wallets, web certificates and more.
@ -21,7 +21,7 @@ secret material, namely the Root Entropy.
## Use Cases ## Use Cases
QKMS can be used for a wide range of use-cases which span but are not limited QKM can be used for a wide range of use-cases which span but are not limited
to: to:
* Deriving a PGP key pair whose public key can be used as a "one-way deposit * Deriving a PGP key pair whose public key can be used as a "one-way deposit
@ -40,7 +40,7 @@ a cold signing setup.
## Playbooks ## Playbooks
QKMS can be set up by using a set of highly opinionated playbooks which outline QKM can be set up by using a set of highly opinionated playbooks which outline
the process. The documentation should be read in its entirety by all the process. The documentation should be read in its entirety by all
participants in the ceremony in order to ensure that the system is well participants in the ceremony in order to ensure that the system is well
understood by all in order to ensure that the integrity of the process is understood by all in order to ensure that the integrity of the process is

View File

@ -1,7 +1,7 @@
# Local Key Provisioning # Local Key Provisioning
This document contains instructions on how Operators collaborate to set up This document contains instructions on how Operators collaborate to set up
QKMS which requires an N-of-M quorum to be reconstituted. The encrypted shards QKM which requires an N-of-M quorum to be reconstituted. The encrypted shards
which result from this ceremony are stored in separate physical which result from this ceremony are stored in separate physical
[Locations](locations.md) which contain [Location Keys](glossary.md#location-key) [Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
to which shards are encrypted, and whose passphrases are protected using to which shards are encrypted, and whose passphrases are protected using

View File

@ -3,7 +3,7 @@
## Description ## Description
This ceremony is for generating Location Keys. Location Keys are typically This ceremony is for generating Location Keys. Location Keys are typically
stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md). stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
Location Keys are keypairs to which the Root Entropy of a QKMS is sharded. The Location Keys are keypairs to which the Root Entropy of a QKM is sharded. The
keypairs are stored exclusively on Smart Cards, and the PINs which protect the keypairs are stored exclusively on Smart Cards, and the PINs which protect the
Smart Cards are encrypted to Operator Keys. Smart Cards are encrypted to Operator Keys.

View File

@ -1,6 +1,6 @@
# Physical Artifact Storage # Physical Artifact Storage
QKMS requires that some of the hardware containing cryptographic material be QKM requires that some of the hardware containing cryptographic material be
securely stored in physical locations. The two primary cases where physical securely stored in physical locations. The two primary cases where physical
storage is necessary are the storage of Location Key Smart Cards, and Operator storage is necessary are the storage of Location Key Smart Cards, and Operator
Key Smart Cards. These Smart Cards are necessary to successfully execute a Key Smart Cards. These Smart Cards are necessary to successfully execute a

View File

@ -1,7 +1,7 @@
# Redundant Storage of Ceremony Artifacts # Redundant Storage of Ceremony Artifacts
Ceremony Artifacts consist of data which is not sensitive in nature, but Ceremony Artifacts consist of data which is not sensitive in nature, but
essential to ongoing operation of a QKMS. essential to ongoing operation of a QKM.
The primary artifacts which are produced during the ceremony are: The primary artifacts which are produced during the ceremony are:

View File

@ -1,7 +1,7 @@
# Quorum Team # Quorum Team
The Quorum Team is a team of individuals who are selected to perform different The Quorum Team is a team of individuals who are selected to perform different
roles related to a QKMS. Some of the Quorum Team members have ongoing roles, roles related to a QKM. Some of the Quorum Team members have ongoing roles,
while others may participate in a partial manner. while others may participate in a partial manner.
Depending on the type of actions performed, some or all of the members of the Depending on the type of actions performed, some or all of the members of the
@ -28,7 +28,7 @@ Controllers may be used to protect access to physical locations - according to
risk appetite. risk appetite.
## Witness ## Witness
Witnesses are individuals who are familiar with the QKMS specification, and can Witnesses are individuals who are familiar with the QKM specification, and can
ensure that the different aspects of the system are set up correctly, and ensure that the different aspects of the system are set up correctly, and
processes carried out as they should be. The main objective of the witnesses is processes carried out as they should be. The main objective of the witnesses is
to monitor and attest that processes such as the ceremonies are done according to monitor and attest that processes such as the ceremonies are done according

View File

@ -1,5 +1,5 @@
# Software # Software
This page outlines the software used for setting up a QKMS. All software used in This page outlines the software used for setting up a QKM. All software used in
the setup is open source and audited by security firms in order to ensure their the setup is open source and audited by security firms in order to ensure their
security. Furthermore, all software is built in a deterministic manner and security. Furthermore, all software is built in a deterministic manner and
reproduced by multiple individuals on diverse hardware to minimize the risks reproduced by multiple individuals on diverse hardware to minimize the risks
@ -33,6 +33,6 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032
seed, which is used for hierarchical deterministic key derivation. seed, which is used for hierarchical deterministic key derivation.
This software is the backbone for all cryptographic actions performed as part This software is the backbone for all cryptographic actions performed as part
of QKMS. It was developed by [Distrust](https://distrust.co) and is included of QKM. It was developed by [Distrust](https://distrust.co) and is included
with AirgapOS and has been audited by two firms, NCC and Cure53 with no with AirgapOS and has been audited by two firms, NCC and Cure53 with no
significant vulnerabilities found. significant vulnerabilities found.

View File

@ -1,10 +1,10 @@
# Threat Model # Threat Model
QKMS is designed according to a high-assurance threat model which ers on the QKM is designed according to a high-assurance threat model which ers on the
side of making exaggerated, rather than conservative assumptions in order to side of making exaggerated, rather than conservative assumptions in order to
build a resilient system. build a resilient system.
The assumption is made that attackers who target QKMS are extremely The assumption is made that attackers who target QKM are extremely
sophisticated, well funded and patient attackers, and as such, the full arsenal sophisticated, well funded and patient attackers, and as such, the full arsenal
of attacks is on the table. This means that the attacker can purchase and of attacks is on the table. This means that the attacker can purchase and
weaponize multiple 0day vulnerabilities, execute physical attacks or deploy weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's
used, or the individuals or locations that hold secret material which is the used, or the individuals or locations that hold secret material which is the
backbone of the system. backbone of the system.
To achieve this, the QKMS focuses on reducing the risk by: To achieve this, the QKM focuses on reducing the risk by:
* Only using fully open source software and firmware to allow full verification * Only using fully open source software and firmware to allow full verification
of their security of their security