update one time use procurement and location and reusable laptop
ceremony
This commit is contained in:
parent
24348cc6c6
commit
f4424b55af
|
@ -9,10 +9,9 @@
|
|||
* [Preparations]()
|
||||
* [Verifying Signatures](verifying-signatures.md)
|
||||
* [Tamper Evidence Methods](tamper-evidence-methods.md)
|
||||
* [Chain of Custody Methods](hardware-procurement-and-chain-of-custody.md)
|
||||
* [Selecting Locations](locations.md)
|
||||
|
||||
* [Fixed Location Reusable Laptop]()
|
||||
* [Location](locations.md)
|
||||
* [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
|
||||
* [PureBoot]()
|
||||
* [Flash PureBoot to Librem](flash-pureboot-firmware.md)
|
||||
|
@ -25,8 +24,9 @@
|
|||
* [AirgapOS Setup](repeat-use-airgapos.md)
|
||||
* [`autorun.sh` Setup](autorun-sh-setup.md)
|
||||
|
||||
* [One Time Use]()
|
||||
* [Procure Hardware](one-time-use-hardware-procurement.md)
|
||||
* [One Time Use / Portable Use]()
|
||||
* [Location](one-time-use-locations.md)
|
||||
* [Procure Hardware](hardware-procurement-and-chain-of-custody.md)
|
||||
* [AirgapOS Setup](one-time-use-airgapos.md)
|
||||
* [Repository Setup](one-time-repository-setup.md)
|
||||
* [Selecting Locations](one-time-use-locations.md)
|
||||
|
|
|
@ -12,7 +12,9 @@ The following steps must all be completed under the continued supervision and wi
|
|||
|
||||
1. Selecting a Purchase Location
|
||||
|
||||
Select at least 3 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method.
|
||||
Select at least 3 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method.
|
||||
|
||||
This is done in order to reduce the likelihood that a threat actor is able to plant a compromised computer in a store.
|
||||
|
||||
2. Within the store, identify available adequate laptops from the list of [tested hardware](#tested-hardware-airgapos-compatibility). Alternatively bring an SD card with AirgapOS, and test booting to it on the device on the store floor before purchasing it.
|
||||
|
||||
|
|
|
@ -1,33 +0,0 @@
|
|||
# Procure Hardware
|
||||
|
||||
* Procure a laptop, and SD cards from a randomly selected store. A randomly
|
||||
selected store is used in order to reduce the possibility of a malicious actor
|
||||
having time to plant compromised hardware at the store, and/or make arrangements
|
||||
by coercing store staff to sell compromised hardware to the quroum team. Of
|
||||
course, there still may be hardware that's compromised being sold, but is less
|
||||
likely to specifically target the quorum group.
|
||||
|
||||
* Ensure at least 2 people are in line of sight of access to all of the
|
||||
equipment, for example a bag carried in hand, until the ceremony is executed.
|
||||
This is done in order to eliminate the possibility of the equipment being
|
||||
swapped for compromised hardware.
|
||||
|
||||
* The laptop should ideally support booting from an SD card and have a built in
|
||||
micro or standard SD card reader; if this is not possible, USB SD card reader
|
||||
should be purchased.
|
||||
|
||||
* Dell laptops tend to have support for booting from SD cards so they are a
|
||||
good option.
|
||||
|
||||
* The store and laptop model should be selected on the spot via consensus of at
|
||||
least 2 members of the Quorum. This is done for several reasons:
|
||||
|
||||
* To ensure that no time is given to a malicious actor to deploy
|
||||
compromised hardware to the store
|
||||
|
||||
* To reduce likelihood that arrangements can be made by a malicious actor
|
||||
for the store to sell compromised hardware to the Quorum team
|
||||
|
||||
* Note that a secondary computer, or secondary SD card with bootable OS will be
|
||||
required in order to be able to verify the flashed AirgapOS SD card right before
|
||||
the ceremony.
|
|
@ -1,19 +1,20 @@
|
|||
# Selecting Locations
|
||||
|
||||
Secure a randomly selected location that has a private space with EM shielding,
|
||||
or no electronics in at least a 10 m radius. A moving vehicle (eg. car, bus,
|
||||
train, ferris wheel) is also a viable alternative. Additionally, the ceremony
|
||||
may be conducted in an open outdoor space, such as a forest, or a desert, at a
|
||||
location that is an open space not near any objects and ideally on a hard surface
|
||||
such as rock to prevent hidden devices in the ground. The point of narrowing the
|
||||
location selection to these spaces is that it makes it hard for a malicious
|
||||
actor to prepare for the ceremony and deploy equipment for side-channel attacks
|
||||
- with the intent of stealing the cryptographic material which is produced or
|
||||
managed during key ceremonies.
|
||||
* MUST be selected at random right before the ceremony
|
||||
|
||||
The location should be selected immediately before the ceremony in order to
|
||||
eliminate the possibility of a malicious actor having time to infiltrate and
|
||||
compromise the space ahead of the ceremony. The location may be compromised
|
||||
anyways, as a malicious actor may have done so with another target in mind, or a
|
||||
more broad campaign, for example in the case for three letter agencies may plant
|
||||
cameras and microphones in hotels for intel gathering.
|
||||
* MUST have physical access control to prevent inflow and outflow of personnel during ceremony
|
||||
|
||||
* SHOULD not have electronics in it as they can be used for side channel attacks
|
||||
|
||||
* SHOULD not have windows to prevent exfiltration of data via light or observation of screen
|
||||
|
||||
## Location Examples
|
||||
|
||||
* A hotel room although it is relatively common to find spying devices in them so they are not a great choice
|
||||
|
||||
* A moving vehicle such as car, bus, train, ferris wheel given that the operator is able to secure a space which can be locked and has no strangers in it
|
||||
|
||||
* Open space with nobody around such as a forest, desert, large parking lot etc.
|
||||
|
||||
|
||||
Despite all these measures, the location may be compromised anyways, as a malicious actor may have done so with another target in mind, or a more broad campaign, for example in the case for three letter agencies may plant cameras and microphones in hotels for intel gathering. For this reason it is always highly preferred to perform cryptographic actions in a properly secured facility such as a SCIF.
|
|
@ -1 +1,21 @@
|
|||
# Portable Reusable Laptop Ceremony
|
||||
|
||||
1. Procure a laptop set up for portable use.
|
||||
|
||||
* A polaroid of the laptop tamper evidence should be carried on person at all times
|
||||
|
||||
* A vacuum sealer, and plastic beads will be necessary in order to be able to re-seal the laptop after use
|
||||
|
||||
* A polaroid and digital camera are also required
|
||||
|
||||
2. The laptop can be left stored in a hidden location or ideally in a safe
|
||||
|
||||
3. Select a secure [location]()
|
||||
|
||||
4. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony.
|
||||
|
||||
5. Unseal the laptop using the [Unsealing Procedure](tamper-evidence-methods.md#procedure)
|
||||
|
||||
6. Follow the [coin playbook](TODO)
|
||||
|
||||
7. Once the ceremony is over use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to seal the laptop.
|
||||
|
|
Loading…
Reference in New Issue