diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/tamper-evidence-methods.md index 218dba9..af0d5cc 100644 --- a/quorum-key-management/src/tamper-evidence-methods.md +++ b/quorum-key-management/src/tamper-evidence-methods.md @@ -34,6 +34,34 @@ If photographs are not cryptographically signed, they can also be manipulated an The reason this method is effective is because unlike with many other methods that tamper proof a specific part of an object, such as applying glitter to screws which leaves device ports exposed, or using cryptographic signing to verify the hardware has not been modified, still leaving the door to physical modifications, vacuum sealing with colored filler encases the entire object in a tamper evident manner. +#### Level 1 + 2 + +This threat level assumes fairly unsophisticated attackers, and as such, basic tamper proofing methods can be effective. These attackers would have a difficult time pursuing physical attacks such as evil maiden attacks, or covertly stealing and replacing hardware. + +As such one of the following combinations of tamper proofing methods MUST be used: + +* [Glitter on screw](#glitter-on-screws) + [pureboot/heads](#pureboot--heads) + +* [Vacuum sealing with filler](#vacuum-sealed-bags-with-filler) + +#### Level 3 + +This level of threat actors has a more extensive range of attacks which may include physical attacks. As such additional counter measures are required to ensure that the integrity and confidentiality of information is retained. The threat modelling document contains more information about this [level](threat-model.md#level-3) + +* MUST combine [glitter on screws](#glitter-on-screws), [pureboot/heads](#pureboot--heads), and [vacuum sealing with filler](#vacuum-sealed-bags-with-filler) + +* MUST maintain 2 person [chain of custody](hardware-procurement-and-chain-of-custody.md) + +#### Level 4 + +This is the highest threat level and as such requires additional controls which protect hardware. More details around the capabilities of threat actors at this level are available in the [threat modeling document](threat-model.md#level-4) + +* MUST use high grade tamper evident safes + +* MUST use physical access controls + +* MUST have continued surveillance of the storage location + ### Adequate Filler To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. They may be made of different materials as well but plastic is excellent because it doesn't change form when vacuum sealed - which can make it easier to reproduce patterns. Materials such as confetti and packing beans may be used, but because they can be flattened and retain the shape, arranging them in a given pattern is much easier. Other options like beans or lentils have less variety in color and shapes which makes it harder to detect differences. @@ -114,7 +142,7 @@ There is no "unsealing" procedure as the glitter used on screws, or in other sim To verify that the seal has not been tampered, compare the glitter arrangement to a photograph which had been previously signed and stored. Both operators should have a copy of the picture and use it to verify the integrity of the seal. -## Pureboot / Heads +## PureBoot / Heads This tamper proofing method is designed to protect the secure boot process of a computer. It does not protect the computer from physical tampering which can be used to ad @@ -135,7 +163,9 @@ To construct an appropriate Tamper Proofing Station, the simplest setup consists * Powerful LED light which can be attached to the mounting rig * Camera which does not have radio cards in it and + * Has >10MP + * Uses SD cards for storing photographs * Polaroid camera which can be attached to the mounting rig @@ -152,4 +182,4 @@ Pick a location for the station, and attach the LED light and the camera to the * [Purism anti-interidction](http://web.archive.org/web/20241121233006/https://puri.sm/posts/anti-interdiction-services/) -* [Purism Liberty phone anti-interdiction](http://web.archive.org/web/20240903104700/https://puri.sm/posts/anti-interdiction-on-the-librem-5-usa/) \ No newline at end of file +* [Purism Liberty phone anti-interdiction](http://web.archive.org/web/20240903104700/https://puri.sm/posts/anti-interdiction-on-the-librem-5-usa/)