add threat levels to tamper evidence doc

This commit is contained in:
Anton Livaja 2024-12-06 15:03:07 -05:00
parent 92e6417552
commit d98cb21934
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 32 additions and 2 deletions

View File

@ -34,6 +34,34 @@ If photographs are not cryptographically signed, they can also be manipulated an
The reason this method is effective is because unlike with many other methods that tamper proof a specific part of an object, such as applying glitter to screws which leaves device ports exposed, or using cryptographic signing to verify the hardware has not been modified, still leaving the door to physical modifications, vacuum sealing with colored filler encases the entire object in a tamper evident manner. The reason this method is effective is because unlike with many other methods that tamper proof a specific part of an object, such as applying glitter to screws which leaves device ports exposed, or using cryptographic signing to verify the hardware has not been modified, still leaving the door to physical modifications, vacuum sealing with colored filler encases the entire object in a tamper evident manner.
#### Level 1 + 2
This threat level assumes fairly unsophisticated attackers, and as such, basic tamper proofing methods can be effective. These attackers would have a difficult time pursuing physical attacks such as evil maiden attacks, or covertly stealing and replacing hardware.
As such one of the following combinations of tamper proofing methods MUST be used:
* [Glitter on screw](#glitter-on-screws) + [pureboot/heads](#pureboot--heads)
* [Vacuum sealing with filler](#vacuum-sealed-bags-with-filler)
#### Level 3
This level of threat actors has a more extensive range of attacks which may include physical attacks. As such additional counter measures are required to ensure that the integrity and confidentiality of information is retained. The threat modelling document contains more information about this [level](threat-model.md#level-3)
* MUST combine [glitter on screws](#glitter-on-screws), [pureboot/heads](#pureboot--heads), and [vacuum sealing with filler](#vacuum-sealed-bags-with-filler)
* MUST maintain 2 person [chain of custody](hardware-procurement-and-chain-of-custody.md)
#### Level 4
This is the highest threat level and as such requires additional controls which protect hardware. More details around the capabilities of threat actors at this level are available in the [threat modeling document](threat-model.md#level-4)
* MUST use high grade tamper evident safes
* MUST use physical access controls
* MUST have continued surveillance of the storage location
### Adequate Filler ### Adequate Filler
To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. They may be made of different materials as well but plastic is excellent because it doesn't change form when vacuum sealed - which can make it easier to reproduce patterns. Materials such as confetti and packing beans may be used, but because they can be flattened and retain the shape, arranging them in a given pattern is much easier. Other options like beans or lentils have less variety in color and shapes which makes it harder to detect differences. To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. They may be made of different materials as well but plastic is excellent because it doesn't change form when vacuum sealed - which can make it easier to reproduce patterns. Materials such as confetti and packing beans may be used, but because they can be flattened and retain the shape, arranging them in a given pattern is much easier. Other options like beans or lentils have less variety in color and shapes which makes it harder to detect differences.
@ -114,7 +142,7 @@ There is no "unsealing" procedure as the glitter used on screws, or in other sim
To verify that the seal has not been tampered, compare the glitter arrangement to a photograph which had been previously signed and stored. Both operators should have a copy of the picture and use it to verify the integrity of the seal. To verify that the seal has not been tampered, compare the glitter arrangement to a photograph which had been previously signed and stored. Both operators should have a copy of the picture and use it to verify the integrity of the seal.
## Pureboot / Heads ## PureBoot / Heads
This tamper proofing method is designed to protect the secure boot process of a computer. It does not protect the computer from physical tampering which can be used to ad This tamper proofing method is designed to protect the secure boot process of a computer. It does not protect the computer from physical tampering which can be used to ad
@ -135,7 +163,9 @@ To construct an appropriate Tamper Proofing Station, the simplest setup consists
* Powerful LED light which can be attached to the mounting rig * Powerful LED light which can be attached to the mounting rig
* Camera which does not have radio cards in it and * Camera which does not have radio cards in it and
* Has >10MP * Has >10MP
* Uses SD cards for storing photographs * Uses SD cards for storing photographs
* Polaroid camera which can be attached to the mounting rig * Polaroid camera which can be attached to the mounting rig