From 435f83338784d96e3678501e01637f52314b34b7 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 27 Nov 2024 11:12:33 -0500 Subject: [PATCH 1/7] wip for tamper proofing and chain of custody docs --- quorum-key-management/src/SUMMARY.md | 3 + quorum-key-management/src/glossary.md | 3 + ...rdware-procurement-and-chain-of-custody.md | 37 ++++ .../src/tamper-evidence-methods.md | 181 ++++++++++++++++++ 4 files changed, 224 insertions(+) create mode 100644 quorum-key-management/src/hardware-procurement-and-chain-of-custody.md create mode 100644 quorum-key-management/src/tamper-evidence-methods.md diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index 6442cbd..ac73379 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -7,6 +7,9 @@ * [Glossary](glossary.md) * [Preparations]() + * [Tamper Evidence Methods](tamper-evidence-methods.md) + * [Chain of Custody Methods](hardware-procurement-and-chain-of-custody.md) + * [Repeat Use]() * [Flash PureBoot to Librem](flash-pureboot-firmware.md) * [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md) diff --git a/quorum-key-management/src/glossary.md b/quorum-key-management/src/glossary.md index 20fd05b..f89d085 100644 --- a/quorum-key-management/src/glossary.md +++ b/quorum-key-management/src/glossary.md @@ -133,3 +133,6 @@ importantly the Root Entropy was never exposed. * [Version Control Systems](software.md#version-control-system-vcs): * We tolerate a loss of all but one DR storage backend * A minimum of three storage backends should be maintained + +## MICE +A mnemonic device used in counterintelligence training to remind trainees of the four general motivations that could lead someone to commit treason, become an insider threat, or collaborate with a hostile agency or organization. It stands for Money, Ideology, Compromise, and Ego. \ No newline at end of file diff --git a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md new file mode 100644 index 0000000..2606445 --- /dev/null +++ b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md @@ -0,0 +1,37 @@ +# Procurement & Chain of Custody + +## Provisioning Chain of Custody + +Materials and devices which are used in the context of a high assurance system need to be monitored carefully from the moment they are purchased to ensure there are no single points of failure. Going back to the assumption that participants in the system are subject to [MICE](./glossary.md#MICE) and as such may pose a threat to the system, special care has to be taken that multiple individuals are involved in the whole lifecycle of provisioning a piece of equipment. + +All steps of the provisioning process need to be completed under the supervision of at least 2 individuals, but benefit from having even more individuals present to increase the number of witnesses and allow individuals to take washroom breaks, purchase food and take breaks. + +The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual. + +## Provisioning Hardware + +1. Selecting a Purchase Location + +Select at least 3 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method. + +2. Within the store, identify available adequate laptops from the list of [tested hardware](#tested-hardware-airgapos-compatibility). Alternatively bring an SD card with AirgapOS, and test booting to it on the device on the store floor before purchasing it. + +3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location" (TODO define processing location). + +4. At the processing location, one of the individuals is responsible for observing while the other opens the back of the laptop and removes: + +* Radio cards (wifi, bluetooth) + +* Storage drive + +* Speakers + +* Microphone + +Each laptop model is laid out slightly differently so use an online reference and/or read the names of the components which are found in the laptop to determine which parts to remove. + +5. Apply a [tamper proofing](./tamper-evidence-methods.md) method to the device depending on the [device designation](TODO) + +## Tested Hardware (AirgapOS Compatibility) +* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99 +* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99 \ No newline at end of file diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/tamper-evidence-methods.md new file mode 100644 index 0000000..29ba307 --- /dev/null +++ b/quorum-key-management/src/tamper-evidence-methods.md @@ -0,0 +1,181 @@ +# Tamper Evidence Methods + +There are different methods which can be used to ensure that objects have not been tampered between uses. This is especially relevant for equipment such as laptops. Each method comes with tradeoffs, and in the context of high assurance security it is instrumental to understand the tradeoffs in order to achieve an adequate level of confidence that supplies such as computers used for high risk operations retain their integrity. + +There are a number of common methods which appear to provide a reasonable level of tamper evidence, but in fact do not. It is worth noting a few examples of these such as using tamper evident tape, or even glitter if done improperly. This document will focus on illustrating adequate methods, rather than enumerating ones that are inadequate. + +## Properties + +Tamper evident methods need to be: + +* Difficult to circumvent + +* Simple to set up + +* Simple to verify + +There are three reasonably secure methods which have been identified and are explored in this document that can be used in different contexts: + +* Vacuum sealed bags along with colored filler + +* Glitter on screws + +* Heads / Pureboot for secure boot + +## Vacuum Sealed Bags With Filler + +One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the colored objects around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again. + +### Threat Model + +There are no known attacks for this type of tamper proofing method when executed properly. The main sources of risk stem from consistent and repeatable photography and comparison of photographs to ensure that any changes can be detected. + +The reason this method is effective is because unlike with many other methods that tamper proof a specific part of an object, such as applying glitter to screws which leaves device ports exposed, or using cryptographic signing to verify the hardware has not been modified, still leaving the door to physical modifications, vacuum sealing with colored filler encases the entire object in a tamper evident manner. + +### Adequate Filler + +To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. + +### Additional Considerations + +* This strategy may be layered, for example if one chooses to apply it to a hardware token, the sealed hardware token can be placed inside of a bigger bag, along with a laptop. + +* A similar method can be used but with a bin that the object is placed into. The main disadvantage here is that this type of tamper proofing is not resistant to seismic activity, air movement, or other sourced of vibration which could shift filler around. + +### Procedure + +#### Requirements + +* Vacuum sealer +* Sealing bags of standard size objects which need to be protected can fit in. The bags should be perfectly see through, rather than with writing or any irregularities in the plastic which can obfuscate the view of the inside of the bag. +* Variety of beads of different sizes and colors + +#### Sealing + +1. Insert object into plastic bag +2. Fill bag with enough plastic beads that all of the object is surrounded +3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move +4. Use the [Tamper Proofing Station](#tamper-proofing-station) to take a photograph of both sides of the sealed object using both the digital and polaroid camera +5. Take the SD card to an online connected device and commit the photograph to a repository, ensuring the commit is signed + +#### Unsealing +1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator +2. Use the photographs and compare them to the sealed object, ensuring the arrangement of the filler in the sealed bag is the same on both sides of the object +3. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process. + +## Glitter on Screws + +Glitter can be used as an additional control to provide tamper evidence on specific parts of hardware such as laptop screws - in case an adversary attempts to open the laptop and introduce a malicious chip, antenna or otherwise. While glitter allows to detect physical tampering of the hardware, it does not provide tamper evidence of the firmware and software that runs on the computer, and as such is not sufficient for adequate tamper proofing of laptops on its own. + +### Procedure + +#### Requirements + +* 2 or 3 different types of glitter, ideally with small and large pieces of glitter of different colors + +#### Sealing + +1. Clean the surface the glitter will be applied to + +2. Apply a thin layer of the first type of glitter + +3. Wait for it to dry + +4. Repeat steps 2, 3 with the different types of glitter being used + +5. Take a photograph of the laptop, preferably using the [tamper proofing station](TODO) + +#### Verification + +There is no "unsealing" procedure as the glitter used on screws, or in other similar contexts is meant as a more permanent control. As such the primary action that's performed is the verification of the integrity of the tamper proofing seal. + +To verify that the seal has not been tampered, compare the glitter arrangement to a photograph which had been previously signed and stored. Both operators should have a copy of the picture and use it to verify the integrity of the seal. + +## Pureboot / Heads + +This tamper proofing method is designed to protect the secure boot process of a computer. It does not protect the computer from physical tampering which can be used to ad + +### Procedure + +Refer to the [PureBoot Setup](./enable-pure-boot-restricted-boot.md) document + +## Tamper Proofing Station + +The Tamper Proofing Station is a simple structure used to make it easy to take photographs which have consistent lightning, consistent angle, and consistent distance from the object being photograph. In this manner, photographs can be taken which ensure that any differences in the sealed object can be easily detected. + +### Instructions + +To construct an appropriate Tamper Proofing Station, the simplest setup consists of: + +* Overhead camera mounting rig + +* Powerful LED light which can be attached to the mounting rig + +* Camera which does not have radio cards in it and + * Has >10MP + * Uses SD cards for storing photographs + +* Polaroid camera which can be attached to the mounting rig + +Pick a location for the station, and attach the LED light and the camera to the overhead camera mounting rig. Set up the camera so that when it's turned on, a 14" laptop is perfectly framed without having to zoom in or out if possible. + + + +--- + +### One Time Use Device + +#### Threat Model +One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards. + +- [ ] Destroying hardware +- [ ] isn't the only difference between this and portable multi use that the laptop is resealed? + +--- + +### Portable Multi-Use Device + +This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses. + +--- + +### Fixed Location Device + +This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls. + +The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does. + * TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops + +The primary tamper proofing methods for the fixed location device are: + +* Heads firmware protection (TODO link to document which explains how to set up Purism) + +* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing) + +* On-premises audio and visual monitoring (TODO select appropriate equipment) + +* Physical vault (TODO find adequate vaults) + +#### Procedure + +If at any moment one of the individual has to leave, the Sealing procedure should be performed and both parties should exit the room. For prolonged sessions consider having 3 operators present in order to be able to have 1 individual leave while still having 2 witnesses present in the operating room. + +##### Unsealing +* TODO (before entering room review monitoring video / audio to see if there was intrusion) +1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility +2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used +3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions +4. Check the screws on the bottom of the laptop to ensure that they have not been removed +4. Use the hardware token set up for that laptop in order to verify that the laptop firmware has not been tampered +5. Proceed with [booting sequence](TODO) depending on the type of action being performed + +##### Sealing +1. Shut down machine +2. Remove and store the hardware token in it's appropriate location +3. Place the laptop in the safe and lock it +4. Exit the facility. + +## References + +* [Blog About Tamper Evident Protection Methods](https://dys2p.com/en/2021-12-tamper-evident-protection.html) + -- 2.40.1 From 9c33166409dd6c3acadb3affea44078edd05f7f2 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 27 Nov 2024 15:46:34 -0500 Subject: [PATCH 2/7] minor updates --- .../src/tamper-evidence-methods.md | 30 ++++++++++--------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/tamper-evidence-methods.md index 29ba307..51ec39a 100644 --- a/quorum-key-management/src/tamper-evidence-methods.md +++ b/quorum-key-management/src/tamper-evidence-methods.md @@ -1,6 +1,6 @@ # Tamper Evidence Methods -There are different methods which can be used to ensure that objects have not been tampered between uses. This is especially relevant for equipment such as laptops. Each method comes with tradeoffs, and in the context of high assurance security it is instrumental to understand the tradeoffs in order to achieve an adequate level of confidence that supplies such as computers used for high risk operations retain their integrity. +There are different methods which can be used to ensure that objects have not been tampered between uses. This is especially relevant for equipment such as laptops. Each method comes with tradeoffs, and in the context of high assurance security it is instrumental to understand the tradeoffs in order to achieve an adequate level of confidence that supplies such as computers used for high risk operations retain their integrity. There are a number of common methods which appear to provide a reasonable level of tamper evidence, but in fact do not. It is worth noting a few examples of these such as using tamper evident tape, or even glitter if done improperly. This document will focus on illustrating adequate methods, rather than enumerating ones that are inadequate. @@ -20,27 +20,29 @@ There are three reasonably secure methods which have been identified and are exp * Glitter on screws -* Heads / Pureboot for secure boot +* Heads / Pureboot for secure boot ## Vacuum Sealed Bags With Filler -One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the colored objects around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again. +One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the colored objects around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again. ### Threat Model There are no known attacks for this type of tamper proofing method when executed properly. The main sources of risk stem from consistent and repeatable photography and comparison of photographs to ensure that any changes can be detected. +If photographs are not cryptographically signed, they can also be manipulated and/or replaced which could result in the compromise of the system as well. + The reason this method is effective is because unlike with many other methods that tamper proof a specific part of an object, such as applying glitter to screws which leaves device ports exposed, or using cryptographic signing to verify the hardware has not been modified, still leaving the door to physical modifications, vacuum sealing with colored filler encases the entire object in a tamper evident manner. ### Adequate Filler -To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. +To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. They may be made of different materials as well. ### Additional Considerations * This strategy may be layered, for example if one chooses to apply it to a hardware token, the sealed hardware token can be placed inside of a bigger bag, along with a laptop. -* A similar method can be used but with a bin that the object is placed into. The main disadvantage here is that this type of tamper proofing is not resistant to seismic activity, air movement, or other sourced of vibration which could shift filler around. +* A similar method can be used but with a bin filled with filler that the object is placed into. The main disadvantage here is that this type of tamper proofing is not resistant to seismic activity, air movement, or other sourced of vibration which could shift filler around. ### Procedure @@ -59,7 +61,7 @@ To achieve the best level of randomness and difficulty of reproducing the arrang 5. Take the SD card to an online connected device and commit the photograph to a repository, ensuring the commit is signed #### Unsealing -1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator +1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator 2. Use the photographs and compare them to the sealed object, ensuring the arrangement of the filler in the sealed bag is the same on both sides of the object 3. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process. @@ -77,13 +79,13 @@ Glitter can be used as an additional control to provide tamper evidence on speci 1. Clean the surface the glitter will be applied to -2. Apply a thin layer of the first type of glitter +2. Apply a thin layer of the first type of glitter 3. Wait for it to dry 4. Repeat steps 2, 3 with the different types of glitter being used -5. Take a photograph of the laptop, preferably using the [tamper proofing station](TODO) +5. Take a photograph of the laptop, preferably using the [tamper proofing station](TODO) #### Verification @@ -96,7 +98,7 @@ To verify that the seal has not been tampered, compare the glitter arrangement t This tamper proofing method is designed to protect the secure boot process of a computer. It does not protect the computer from physical tampering which can be used to ad ### Procedure - + Refer to the [PureBoot Setup](./enable-pure-boot-restricted-boot.md) document ## Tamper Proofing Station @@ -107,17 +109,17 @@ The Tamper Proofing Station is a simple structure used to make it easy to take p To construct an appropriate Tamper Proofing Station, the simplest setup consists of: -* Overhead camera mounting rig +* Overhead camera mounting rig * Powerful LED light which can be attached to the mounting rig * Camera which does not have radio cards in it and - * Has >10MP + * Has >10MP * Uses SD cards for storing photographs * Polaroid camera which can be attached to the mounting rig -Pick a location for the station, and attach the LED light and the camera to the overhead camera mounting rig. Set up the camera so that when it's turned on, a 14" laptop is perfectly framed without having to zoom in or out if possible. +Pick a location for the station, and attach the LED light and the camera to the overhead camera mounting rig. Set up the camera so that when it's turned on, a 14" laptop is perfectly framed without having to zoom in or out if possible. @@ -141,7 +143,7 @@ This type of device is essentially just a "One Time Use" device, with the added ### Fixed Location Device -This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls. +This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls. The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does. * TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops @@ -162,7 +164,7 @@ If at any moment one of the individual has to leave, the Sealing procedure shoul ##### Unsealing * TODO (before entering room review monitoring video / audio to see if there was intrusion) -1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility +1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility 2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used 3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions 4. Check the screws on the bottom of the laptop to ensure that they have not been removed -- 2.40.1 From 24348cc6c6392f2f1139f9f442913b0580c10ad4 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Thu, 28 Nov 2024 18:30:19 -0500 Subject: [PATCH 3/7] add new docs and refactor --- quorum-key-management/src/SUMMARY.md | 28 ++++++++---- ...-location-reusable-hardware-procurement.md | 41 +++++++++++++++++ ...fixed-location-reusable-laptop-ceremony.md | 45 +++++++++++++++++++ quorum-key-management/src/glossary.md | 3 ++ quorum-key-management/src/locations.md | 6 +-- .../src/one-time-use-airgapos.md | 13 +----- .../src/one-time-use-laptop-coin-ceremony.md | 1 + .../src/portable-reusable-laptop-ceremony.md | 1 + .../src/repeat-use-airgapos.md | 18 +------- .../src/verifying-signatures.md | 29 ++++++++++++ 10 files changed, 146 insertions(+), 39 deletions(-) create mode 100644 quorum-key-management/src/fixed-location-reusable-hardware-procurement.md create mode 100644 quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md create mode 100644 quorum-key-management/src/one-time-use-laptop-coin-ceremony.md create mode 100644 quorum-key-management/src/portable-reusable-laptop-ceremony.md create mode 100644 quorum-key-management/src/verifying-signatures.md diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index ac73379..9281ab9 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -7,18 +7,23 @@ * [Glossary](glossary.md) * [Preparations]() + * [Verifying Signatures](verifying-signatures.md) * [Tamper Evidence Methods](tamper-evidence-methods.md) * [Chain of Custody Methods](hardware-procurement-and-chain-of-custody.md) + * [Selecting Locations](locations.md) - * [Repeat Use]() - * [Flash PureBoot to Librem](flash-pureboot-firmware.md) - * [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md) - * [Change Smart Card PINs](setting-smart-card-pins.md) - * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md) - * [AirgapOS Setup](repeat-use-airgapos.md) - * [`autorun.sh` Setup](autorun-sh-setup.md) - * [Secure Boot Sequence](secure-boot-sequence.md) - * [Selecting Locations](locations.md) + * [Fixed Location Reusable Laptop]() + * [Procure Hardware](fixed-location-reusable-hardware-procurement.md) + * [PureBoot]() + * [Flash PureBoot to Librem](flash-pureboot-firmware.md) + * [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md) + * [Change Smart Card PINs](setting-smart-card-pins.md) + * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md) + * [PureBoot Boot Sequence](secure-boot-sequence.md) + + * [AirgapOS Setup]() + * [AirgapOS Setup](repeat-use-airgapos.md) + * [`autorun.sh` Setup](autorun-sh-setup.md) * [One Time Use]() * [Procure Hardware](one-time-use-hardware-procurement.md) @@ -41,6 +46,11 @@ * [Online Artifact Storage](public-ceremony-artifact-storage.md) * [Physical Artifact Storage](physical-artifact-storage.md) +* [Coin Ceremonies]() + * [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md) + * [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md) + * [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md) + * [Lifecycle Management]() * [Destroying Hardware](hardware-destruction.md) * [Storage Device Management](storage-device-management.md) \ No newline at end of file diff --git a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md new file mode 100644 index 0000000..59176ff --- /dev/null +++ b/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md @@ -0,0 +1,41 @@ +# Procure Hardware + +1. Select a librem 14 laptop from https://puri.sm, and ensure: + + * Memory: 8GB + + * Storage: 250GB + + * Power Adapter Plug: US + + * Wireless: No wireless + + * Firmware: PureBoot Bundle Anti-Interdiction (PureBoot Bundle Plus + Anti-interdiction services) + + * Operating System: PureOS + + * Warranty: 1 Year + + * Privacy Screen: Privacy Screen for Librem 14 + + * USB Flash Drive: No USB Flash Drive + +2. Purism will reach out via email and establish secure communications using PGP, so ensure that the individual who is in charge of procurement has a PGP key that's been set up securely. Purism will: + + * Modify the laptop as per order specifications, in this case removing radio cards. + + * Seal the screws on the bottom of the laptop using glitter of chosen color + + * Take photographs of the inside of the laptop, then of the outside after it's sealed + + * The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images + + * The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape + + * TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism + + * The laptop will be sealed in a box using tamper proofing tape + +3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact. + +4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](tamper-evidence-methods.md) should be applied to the laptop before it's stored. \ No newline at end of file diff --git a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md new file mode 100644 index 0000000..a36b3c8 --- /dev/null +++ b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md @@ -0,0 +1,45 @@ +# Fixed Location Reusable Laptop Ceremony + +1. Select at least two authorized operators who will be participating in the ceremony + +2. Print photographs of tamper proofing of the laptop which will be used for the ceremony + +3. Make an entry into the access log, specifying the: + + * Individuals involved + + * Approximate time of entry + +4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony. + +5. Access the laptop safe, and move the laptop, its hardware token, and polaroid to the Tamper Proofing Workstation + + * Compare the polaroid and digital photographs for any differences + + * Then compare the photographs to the actual object + + * If there are any issues detected, initiate incident response + +6. Initiate the [Secure Boot Sequence](secure-boot-sequence.md) + +7. Use one of the [Coin Playbooks]() to perform actions for a given coin + + * TODO... + +8. Once the ceremony is completed, use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to reseal and photograph the laptop + + * Use a new SD card for taking photographs of the sealed laptop + +9. Remove the SD card from the camera and use chain of custody principles to ensure the integrity of the data + +10. Place the sealed laptop and signed polaroids, as well as the hardware token back in the safe + +11. Exit the SCIF and lock it + +12. Update the log with the exit time + +13. Upload the photos to a git repository, ensuring the commit is signed using PGP + + * TODO: add more details around how the storage of images should work + + * TODO: ensure there is a pgp doc that can be linked to (for setup and use) \ No newline at end of file diff --git a/quorum-key-management/src/glossary.md b/quorum-key-management/src/glossary.md index f89d085..1c0e530 100644 --- a/quorum-key-management/src/glossary.md +++ b/quorum-key-management/src/glossary.md @@ -60,6 +60,9 @@ which is set at the time of initial sharding, expressed as M of N, or in other words M shards of the total N shards in existence are required to reveal the secret. +## Secure Compartmentalized Information Facility (SCIF) + + ## Workstation Highly secure computer which is used for sensitive operations, typically in the diff --git a/quorum-key-management/src/locations.md b/quorum-key-management/src/locations.md index 77dc795..4c982ef 100644 --- a/quorum-key-management/src/locations.md +++ b/quorum-key-management/src/locations.md @@ -1,7 +1,7 @@ # Location Locations refer to physical points in space which are used for storing -cryptographic material or performing actions related to the DRK lifecycle and +cryptographic material or performing actions using the cryptographic material and adhere to a set of criteria which focus on achieving a high level of security - specifically with respect to: @@ -66,7 +66,7 @@ standard NATO SDIP-27 Level A locations simultaneously * SHOULD be facilities owned by different organizations to reduce the risk of -collusion unless the organization who owns the DRK has their own facility such -as a SCIF (Secure Compartmentalized Information Facility) +collusion unless the organization who owns the QKM system has their own facility such +as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif). * SHOULD have seismic detectors diff --git a/quorum-key-management/src/one-time-use-airgapos.md b/quorum-key-management/src/one-time-use-airgapos.md index 3265c03..8956d54 100644 --- a/quorum-key-management/src/one-time-use-airgapos.md +++ b/quorum-key-management/src/one-time-use-airgapos.md @@ -6,18 +6,9 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using ## Setup Steps -* Clone the latest AirgapOS version: - - * `git clone git@distrust.co:public/airgap.git` - -* Build the image: - - * `cd airgap && make` - -* Verify `sha256sum` of airgap matches hashes in `/dist` - -* Verify signatures on the hashes in `/dist`. The maintainer pgp keys can be found on the [Distrust contact page](https://distrust.co/contact.html) page. +* Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command. +* Verify the software according to [this](verifying-signatures.md) guide * Flash `airgap.iso` to an SD Card: diff --git a/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md b/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md new file mode 100644 index 0000000..46fedad --- /dev/null +++ b/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md @@ -0,0 +1 @@ +# One Time Use Laptop Ceremony diff --git a/quorum-key-management/src/portable-reusable-laptop-ceremony.md b/quorum-key-management/src/portable-reusable-laptop-ceremony.md new file mode 100644 index 0000000..0a4cf4b --- /dev/null +++ b/quorum-key-management/src/portable-reusable-laptop-ceremony.md @@ -0,0 +1 @@ +# Portable Reusable Laptop Ceremony diff --git a/quorum-key-management/src/repeat-use-airgapos.md b/quorum-key-management/src/repeat-use-airgapos.md index 223fd29..c0e465f 100644 --- a/quorum-key-management/src/repeat-use-airgapos.md +++ b/quorum-key-management/src/repeat-use-airgapos.md @@ -4,23 +4,9 @@ This section can be completed on any machine. AirgapOS has `keyfork` built into it for cryptographic operations such as key derivation. -1. Clone the `AirgapOS` repository locally or download it as a zip +1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command. - To clone use the following command in the terminal: - ``` - cd ~ - git clone git@distrust.co:public/airgap.git - ``` - - To download as a ZIP from https://git.distrust.co/public/airgap: - ![Downloading AirgapOS as ZIP](img/download-airgap-os.png) - -2. Navigate into the `airgap` repository locally, and build the iso image. - ``` - cd ~/airgap - make reproduce - ``` -The resulting iso will be located in `airgap/out/` +2. Verify the software according to [this](verifying-signatures.md) guide 3. Place signed .iso on a storage device diff --git a/quorum-key-management/src/verifying-signatures.md b/quorum-key-management/src/verifying-signatures.md new file mode 100644 index 0000000..e185f08 --- /dev/null +++ b/quorum-key-management/src/verifying-signatures.md @@ -0,0 +1,29 @@ +# Verifying Signatures + +When building and downloading software it is essential to verify signatures to ensure its integrity. + +Verification of software depends on two primary aspects: + +* Ensuring that the hash of a binary matches some point of reference, for example the same binary previously built by a trusted team member, or a hash hosted alongside the software in the download location. + +* Ensuring that signatures alongside hashes are from trusted asymmetric keys (e.g PGP keys) + +In order to achieve this, one must establish that specific keys are "well known" and can be trusted - that is, that they belong to a given individual. To achieve this, the best method is to exchange keys in person, but a combination of the following methods gives even higher confidence thresholds: + +* Verifying the key in person + +* Finding a reference to a public key on the individual's personal website + +* Finding a reference to a public key on the individual's social media platforms + +* Finding a keyoxide profile for a given public key + +* Finding a reference to a public key on a company website + +* Looking up popular key servers to see if a given individual is associated with it + +Each point of reference allows us to build confidence that the key is indeed owned by an individual. + +One other consideration is how the key is protected. If possible, find out how the individual manages their key. If the key is stored on a local machine, the trust level for that key should be low. If the individual always manages their keys in airgapped environments, and on HSMs, then a higher level of trust can be ascribed - although ultimately in most cases it's impossible to verify that the individual followed a given policy around key management. + +One favorable method for ensuring that a key never got exposed is using built in cryptographic attestation that a key never left a TPM, such as the one offered by YubiKey. While this type of key setup has the downside of not being able to back it up, one could use a master key to sign such a key, authorizing it for use, while giving the flexibility to rotate if the hardware token is damaged or lost. \ No newline at end of file -- 2.40.1 From f4424b55afabad40e817b0c48ab5bcef6aa82d20 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Sat, 30 Nov 2024 19:38:04 -0500 Subject: [PATCH 4/7] update one time use procurement and location and reusable laptop ceremony --- quorum-key-management/src/SUMMARY.md | 8 ++--- ...rdware-procurement-and-chain-of-custody.md | 4 ++- .../src/one-time-use-hardware-procurement.md | 33 ------------------- .../src/one-time-use-locations.md | 33 ++++++++++--------- .../src/portable-reusable-laptop-ceremony.md | 20 +++++++++++ 5 files changed, 44 insertions(+), 54 deletions(-) delete mode 100644 quorum-key-management/src/one-time-use-hardware-procurement.md diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index 9281ab9..dcef4f2 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -9,10 +9,9 @@ * [Preparations]() * [Verifying Signatures](verifying-signatures.md) * [Tamper Evidence Methods](tamper-evidence-methods.md) - * [Chain of Custody Methods](hardware-procurement-and-chain-of-custody.md) - * [Selecting Locations](locations.md) * [Fixed Location Reusable Laptop]() + * [Location](locations.md) * [Procure Hardware](fixed-location-reusable-hardware-procurement.md) * [PureBoot]() * [Flash PureBoot to Librem](flash-pureboot-firmware.md) @@ -25,8 +24,9 @@ * [AirgapOS Setup](repeat-use-airgapos.md) * [`autorun.sh` Setup](autorun-sh-setup.md) - * [One Time Use]() - * [Procure Hardware](one-time-use-hardware-procurement.md) + * [One Time Use / Portable Use]() + * [Location](one-time-use-locations.md) + * [Procure Hardware](hardware-procurement-and-chain-of-custody.md) * [AirgapOS Setup](one-time-use-airgapos.md) * [Repository Setup](one-time-repository-setup.md) * [Selecting Locations](one-time-use-locations.md) diff --git a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md index 2606445..c30a18b 100644 --- a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md +++ b/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md @@ -12,7 +12,9 @@ The following steps must all be completed under the continued supervision and wi 1. Selecting a Purchase Location -Select at least 3 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method. + Select at least 3 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method. + + This is done in order to reduce the likelihood that a threat actor is able to plant a compromised computer in a store. 2. Within the store, identify available adequate laptops from the list of [tested hardware](#tested-hardware-airgapos-compatibility). Alternatively bring an SD card with AirgapOS, and test booting to it on the device on the store floor before purchasing it. diff --git a/quorum-key-management/src/one-time-use-hardware-procurement.md b/quorum-key-management/src/one-time-use-hardware-procurement.md deleted file mode 100644 index f3a0793..0000000 --- a/quorum-key-management/src/one-time-use-hardware-procurement.md +++ /dev/null @@ -1,33 +0,0 @@ -# Procure Hardware - -* Procure a laptop, and SD cards from a randomly selected store. A randomly -selected store is used in order to reduce the possibility of a malicious actor -having time to plant compromised hardware at the store, and/or make arrangements -by coercing store staff to sell compromised hardware to the quroum team. Of -course, there still may be hardware that's compromised being sold, but is less -likely to specifically target the quorum group. - -* Ensure at least 2 people are in line of sight of access to all of the -equipment, for example a bag carried in hand, until the ceremony is executed. -This is done in order to eliminate the possibility of the equipment being -swapped for compromised hardware. - -* The laptop should ideally support booting from an SD card and have a built in -micro or standard SD card reader; if this is not possible, USB SD card reader -should be purchased. - -* Dell laptops tend to have support for booting from SD cards so they are a -good option. - -* The store and laptop model should be selected on the spot via consensus of at -least 2 members of the Quorum. This is done for several reasons: - - * To ensure that no time is given to a malicious actor to deploy - compromised hardware to the store - - * To reduce likelihood that arrangements can be made by a malicious actor - for the store to sell compromised hardware to the Quorum team - -* Note that a secondary computer, or secondary SD card with bootable OS will be -required in order to be able to verify the flashed AirgapOS SD card right before -the ceremony. \ No newline at end of file diff --git a/quorum-key-management/src/one-time-use-locations.md b/quorum-key-management/src/one-time-use-locations.md index 49fba61..bb8579c 100644 --- a/quorum-key-management/src/one-time-use-locations.md +++ b/quorum-key-management/src/one-time-use-locations.md @@ -1,19 +1,20 @@ # Selecting Locations -Secure a randomly selected location that has a private space with EM shielding, -or no electronics in at least a 10 m radius. A moving vehicle (eg. car, bus, -train, ferris wheel) is also a viable alternative. Additionally, the ceremony -may be conducted in an open outdoor space, such as a forest, or a desert, at a -location that is an open space not near any objects and ideally on a hard surface -such as rock to prevent hidden devices in the ground. The point of narrowing the -location selection to these spaces is that it makes it hard for a malicious -actor to prepare for the ceremony and deploy equipment for side-channel attacks -- with the intent of stealing the cryptographic material which is produced or -managed during key ceremonies. +* MUST be selected at random right before the ceremony + +* MUST have physical access control to prevent inflow and outflow of personnel during ceremony -The location should be selected immediately before the ceremony in order to -eliminate the possibility of a malicious actor having time to infiltrate and -compromise the space ahead of the ceremony. The location may be compromised -anyways, as a malicious actor may have done so with another target in mind, or a -more broad campaign, for example in the case for three letter agencies may plant -cameras and microphones in hotels for intel gathering. \ No newline at end of file +* SHOULD not have electronics in it as they can be used for side channel attacks + +* SHOULD not have windows to prevent exfiltration of data via light or observation of screen + +## Location Examples + +* A hotel room although it is relatively common to find spying devices in them so they are not a great choice + +* A moving vehicle such as car, bus, train, ferris wheel given that the operator is able to secure a space which can be locked and has no strangers in it + +* Open space with nobody around such as a forest, desert, large parking lot etc. + + +Despite all these measures, the location may be compromised anyways, as a malicious actor may have done so with another target in mind, or a more broad campaign, for example in the case for three letter agencies may plant cameras and microphones in hotels for intel gathering. For this reason it is always highly preferred to perform cryptographic actions in a properly secured facility such as a SCIF. \ No newline at end of file diff --git a/quorum-key-management/src/portable-reusable-laptop-ceremony.md b/quorum-key-management/src/portable-reusable-laptop-ceremony.md index 0a4cf4b..cd7fd06 100644 --- a/quorum-key-management/src/portable-reusable-laptop-ceremony.md +++ b/quorum-key-management/src/portable-reusable-laptop-ceremony.md @@ -1 +1,21 @@ # Portable Reusable Laptop Ceremony + +1. Procure a laptop set up for portable use. + + * A polaroid of the laptop tamper evidence should be carried on person at all times + + * A vacuum sealer, and plastic beads will be necessary in order to be able to re-seal the laptop after use + + * A polaroid and digital camera are also required + +2. The laptop can be left stored in a hidden location or ideally in a safe + +3. Select a secure [location]() + +4. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony. + +5. Unseal the laptop using the [Unsealing Procedure](tamper-evidence-methods.md#procedure) + +6. Follow the [coin playbook](TODO) + +7. Once the ceremony is over use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to seal the laptop. -- 2.40.1 From 930017285b4daa4c2e51b345c8806eeeff72b46e Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Sun, 1 Dec 2024 14:43:04 -0500 Subject: [PATCH 5/7] many updates --- quorum-key-management/src/SUMMARY.md | 1 + ...fixed-location-reusable-laptop-ceremony.md | 42 +++++++++++++- quorum-key-management/src/glossary.md | 3 + quorum-key-management/src/intro.md | 10 ++-- .../src/one-time-use-laptop-coin-ceremony.md | 5 ++ .../src/one-time-use-locations.md | 4 +- .../src/portable-reusable-laptop-ceremony.md | 8 +++ quorum-key-management/src/software.md | 5 ++ quorum-key-management/src/system-roles.md | 32 +++++++++++ .../src/tamper-evidence-methods.md | 57 +------------------ quorum-key-management/src/threat-model.md | 4 ++ 11 files changed, 108 insertions(+), 63 deletions(-) create mode 100644 quorum-key-management/src/system-roles.md diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index dcef4f2..be31442 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -2,6 +2,7 @@ * [Introduction](intro.md) * [Threat Model](threat-model.md) * [Selecting a Quorum](selecting-quorum.md) + * [System Roles](system-roles.md) * [Software](software.md) * [Hardware](hardware.md) * [Glossary](glossary.md) diff --git a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md index a36b3c8..a497f05 100644 --- a/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md +++ b/quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md @@ -42,4 +42,44 @@ * TODO: add more details around how the storage of images should work - * TODO: ensure there is a pgp doc that can be linked to (for setup and use) \ No newline at end of file + * TODO: ensure there is a pgp doc that can be linked to (for setup and use) + +--- + +TODO: integrate this + +### Fixed Location Device + +This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls. + +The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does. + * TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops + +The primary tamper proofing methods for the fixed location device are: + +* Heads firmware protection (TODO link to document which explains how to set up Purism) + +* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing) + +* On-premises audio and visual monitoring (TODO select appropriate equipment) + +* Physical vault (TODO find adequate vaults) + +#### Procedure + +If at any moment one of the individual has to leave, the Sealing procedure should be performed and both parties should exit the room. For prolonged sessions consider having 3 operators present in order to be able to have 1 individual leave while still having 2 witnesses present in the operating room. + +##### Unsealing +* TODO (before entering room review monitoring video / audio to see if there was intrusion) +1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility +2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used +3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions +4. Check the screws on the bottom of the laptop to ensure that they have not been removed +4. Use the hardware token set up for that laptop in order to verify that the laptop firmware has not been tampered +5. Proceed with [booting sequence](TODO) depending on the type of action being performed + +##### Sealing +1. Shut down machine +2. Remove and store the hardware token in it's appropriate location +3. Place the laptop in the safe and lock it +4. Exit the facility. \ No newline at end of file diff --git a/quorum-key-management/src/glossary.md b/quorum-key-management/src/glossary.md index 1c0e530..993c53e 100644 --- a/quorum-key-management/src/glossary.md +++ b/quorum-key-management/src/glossary.md @@ -62,6 +62,9 @@ secret. ## Secure Compartmentalized Information Facility (SCIF) +## [RFC2119](https://www.rfc-editor.org/rfc/rfc2119) and [RFC8174](https://www.rfc-editor.org/rfc/rfc8174) + +Specifications for keywords such as MUST, MUST NOT, SHOULD, SHOULD NOT, MAY etc. ## Workstation diff --git a/quorum-key-management/src/intro.md b/quorum-key-management/src/intro.md index 0f19306..1b5c661 100644 --- a/quorum-key-management/src/intro.md +++ b/quorum-key-management/src/intro.md @@ -5,15 +5,15 @@ tooling which facilitates the creation and maintenance of highly resilient [quorum](glossary.md#quorum)-based key management systems based on a strict [threat model](threat-model.md) which can be used for a variety of different cryptographic algorithms. The system was designed and developed by -[Distrust](https://distrust.co), with the generous support of the following -sponsors: TODO. +[Distrust](https://distrust.co), with the generous support of sponsors. The basic premise of QKM is that primary cryptographic material akin to a root certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated during a secure key derivation ceremony, and then used to derive chosen cryptographic material via different algorithms such as PGP keys, digital asset -wallets, web certificates and more. The system was designed with extensibility -in mind. +wallets, web certificates and more. + +Currently there is a set of an opinionated set of playbooks for working with OpenPGP and blockchains is in development, and will be extended to digital certificates, FIDO secrets and more in the future. The RE is sharded using [Shamir's Secret Sharing (SSS)](glossary.md#shamirs-secret-sharing-sss) to a [Quorum](glossary.md#quorum) in order to protect it from single points of @@ -43,7 +43,7 @@ a cold signing setup. ## Playbooks QKM can be set up by using a set of highly opinionated playbooks which outline -the process. The documentation should be read in its entirety by all +the process. The base documentation should be read in its entirety by all participants of the ceremony in order to ensure that the system is well understood by all to ensure that the integrity of the process is preserved and enforced. diff --git a/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md b/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md index 46fedad..a200a1e 100644 --- a/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md +++ b/quorum-key-management/src/one-time-use-laptop-coin-ceremony.md @@ -1 +1,6 @@ # One Time Use Laptop Ceremony + +#### Threat Model +One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards. + +- [ ] isn't the only difference between this and portable multi use that the laptop is resealed? \ No newline at end of file diff --git a/quorum-key-management/src/one-time-use-locations.md b/quorum-key-management/src/one-time-use-locations.md index bb8579c..27ac42d 100644 --- a/quorum-key-management/src/one-time-use-locations.md +++ b/quorum-key-management/src/one-time-use-locations.md @@ -4,9 +4,9 @@ * MUST have physical access control to prevent inflow and outflow of personnel during ceremony -* SHOULD not have electronics in it as they can be used for side channel attacks +* SHOULD NOT have electronics in it as they can be used for side channel attacks -* SHOULD not have windows to prevent exfiltration of data via light or observation of screen +* SHOULD NOT have windows to prevent exfiltration of data via light or observation of screen ## Location Examples diff --git a/quorum-key-management/src/portable-reusable-laptop-ceremony.md b/quorum-key-management/src/portable-reusable-laptop-ceremony.md index cd7fd06..4bfdd3f 100644 --- a/quorum-key-management/src/portable-reusable-laptop-ceremony.md +++ b/quorum-key-management/src/portable-reusable-laptop-ceremony.md @@ -19,3 +19,11 @@ 6. Follow the [coin playbook](TODO) 7. Once the ceremony is over use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to seal the laptop. + +--- + +TODO: integrate + +### Portable Multi-Use Device + +This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses. diff --git a/quorum-key-management/src/software.md b/quorum-key-management/src/software.md index bbeeea4..5913d4c 100644 --- a/quorum-key-management/src/software.md +++ b/quorum-key-management/src/software.md @@ -42,3 +42,8 @@ This software is the backbone for all cryptographic actions performed as part of QKM. It was developed by [Distrust](https://distrust.co) and is included with AirgapOS and has been audited by two firms, NCC and Cure53 with no significant vulnerabilities found. + + +## [Icepick](https://git.distrust.co/public/icepick) + +Icepick is a framework for rapidly developing applications to perform transfer and staking cryptocurrency operations. It works synergistically with `keyfork` which derives keys which are then used by `icepick`. \ No newline at end of file diff --git a/quorum-key-management/src/system-roles.md b/quorum-key-management/src/system-roles.md new file mode 100644 index 0000000..02ffb18 --- /dev/null +++ b/quorum-key-management/src/system-roles.md @@ -0,0 +1,32 @@ +# System Roles + +There are several roles which are required to properly operate the QKM system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QKM. + +To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum. + +## General Requirements + +Individuals who are selected for the roles: + +* MUST have background checks conducted + +* MUST have a clearly defined set of responsibilities + +* MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information + + +## Operator + +Trained on how the QKM system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system. + +Operators conduct ceremonies and ensure that the controls around the QKM system are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QKM system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more. + +As a QKM grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns. + +## Approver + +This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QKM system but related decision making may be under the purview of an Approver - for example what amount of digital assets to transfer and where. + +## Witness + +QKM relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QKM system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred. \ No newline at end of file diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/tamper-evidence-methods.md index 51ec39a..8b60a99 100644 --- a/quorum-key-management/src/tamper-evidence-methods.md +++ b/quorum-key-management/src/tamper-evidence-methods.md @@ -16,7 +16,7 @@ Tamper evident methods need to be: There are three reasonably secure methods which have been identified and are explored in this document that can be used in different contexts: -* Vacuum sealed bags along with colored filler +* Vacuum sealing objects surrounded by colored filler * Glitter on screws @@ -24,7 +24,7 @@ There are three reasonably secure methods which have been identified and are exp ## Vacuum Sealed Bags With Filler -One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the colored objects around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again. +One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the filler around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again - allowing one to verify that the arrangement of the filler has not changed. ### Threat Model @@ -123,59 +123,6 @@ Pick a location for the station, and attach the LED light and the camera to the ---- - -### One Time Use Device - -#### Threat Model -One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards. - -- [ ] Destroying hardware -- [ ] isn't the only difference between this and portable multi use that the laptop is resealed? - ---- - -### Portable Multi-Use Device - -This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses. - ---- - -### Fixed Location Device - -This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls. - -The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does. - * TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops - -The primary tamper proofing methods for the fixed location device are: - -* Heads firmware protection (TODO link to document which explains how to set up Purism) - -* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing) - -* On-premises audio and visual monitoring (TODO select appropriate equipment) - -* Physical vault (TODO find adequate vaults) - -#### Procedure - -If at any moment one of the individual has to leave, the Sealing procedure should be performed and both parties should exit the room. For prolonged sessions consider having 3 operators present in order to be able to have 1 individual leave while still having 2 witnesses present in the operating room. - -##### Unsealing -* TODO (before entering room review monitoring video / audio to see if there was intrusion) -1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility -2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used -3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions -4. Check the screws on the bottom of the laptop to ensure that they have not been removed -4. Use the hardware token set up for that laptop in order to verify that the laptop firmware has not been tampered -5. Proceed with [booting sequence](TODO) depending on the type of action being performed - -##### Sealing -1. Shut down machine -2. Remove and store the hardware token in it's appropriate location -3. Place the laptop in the safe and lock it -4. Exit the facility. ## References diff --git a/quorum-key-management/src/threat-model.md b/quorum-key-management/src/threat-model.md index 5168158..659f10f 100644 --- a/quorum-key-management/src/threat-model.md +++ b/quorum-key-management/src/threat-model.md @@ -40,6 +40,8 @@ which had radio networking cards (bluetooth, wifi etc.) removed * Leveraging tamper evident controls for components related to the system +* Leveraging frequency blocking methods such as TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) and soundproofing + ## General Threat Model Assumptions Some additional assumptions are made to help contextualize the threat model: @@ -60,6 +62,8 @@ Some additional assumptions are made to help contextualize the threat model: * Physical attacks are viable and likely +* Side-channel attacks are viable and likely + ## Additional Threat Model Notes -- 2.40.1 From e43c65c3e8fc70dc8352bd57a122c56522bd02de Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 4 Dec 2024 16:01:15 -0500 Subject: [PATCH 6/7] add references to tamper proofing doc --- quorum-key-management/src/tamper-evidence-methods.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/tamper-evidence-methods.md index 8b60a99..d0cb6d9 100644 --- a/quorum-key-management/src/tamper-evidence-methods.md +++ b/quorum-key-management/src/tamper-evidence-methods.md @@ -126,5 +126,12 @@ Pick a location for the station, and attach the LED light and the camera to the ## References -* [Blog About Tamper Evident Protection Methods](https://dys2p.com/en/2021-12-tamper-evident-protection.html) +* [Blog About Tamper Evident Protection Methods](http://web.archive.org/web/20241130002204/https://dys2p.com/en/2021-12-tamper-evident-protection.html) +* [BitBoxTep - tamper-evident packaging](http://web.archive.org/web/20240519013739/https://medium.com/shiftcrypto/an-introduction-to-bitboxtep-our-new-tamper-evident-packaging-8fa06d983c32) + +* [Mullvad - glitter tamper proofing](http://web.archive.org/web/20240317004315/https://mullvad.net/en/blog/how-tamper-protect-laptop-nail-polish) + +* [Purism anti-interidction](http://web.archive.org/web/20241121233006/https://puri.sm/posts/anti-interdiction-services/) + +* [Purism Liberty phone anti-interdiction](http://web.archive.org/web/20240903104700/https://puri.sm/posts/anti-interdiction-on-the-librem-5-usa/) \ No newline at end of file -- 2.40.1 From 1e9d21dcdd3b17a2a0c2aa995fd81896d2e8a4f3 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 4 Dec 2024 16:01:31 -0500 Subject: [PATCH 7/7] add high level threat model initial draft --- quorum-key-management/src/threat-model.md | 328 ++++++++++++++++++++++ 1 file changed, 328 insertions(+) diff --git a/quorum-key-management/src/threat-model.md b/quorum-key-management/src/threat-model.md index 659f10f..d0293d1 100644 --- a/quorum-key-management/src/threat-model.md +++ b/quorum-key-management/src/threat-model.md @@ -64,6 +64,334 @@ Some additional assumptions are made to help contextualize the threat model: * Side-channel attacks are viable and likely +## Threat Model Levels + +Different threat model levels allow an organization to start benefiting from the security properties of the QKM system immediately, with a clear path to upgrading over time as resources and time become available. + +Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein. + +### Level 1 + +#### Threat Model + +* Adversary is a low skilled individual targeting many custodians. This implies the adversary is not highly focused on compromising a specific custodian, but often relying on more scattered/shotgun strategies. + +* Adversary is capable of: + + * Using phishing to steal data from a random set of custodian end users + + * Injecting malware into the system of a random set of custodian end users + +#### Requirements + +* MUST require hardware anchored login for large withdrawals + +* MUST require hardware anchored signature for large withdrawal requests + +* MUST verify withdrawal requests + +Refer to [threshold based policies](TODO) for defining "large withdrawals" and related policies. + +#### Reference Design + +* Ensure all users withdrawing large sums over a short period of time are using FIDO2 or PGP capable smart cards for logging in and authorizing transactions: + + * Hardware based WebAuthN/Passkey/U2F + + * Android 7.0+, iOS 14+, MacOS 10.15+, Win10 1809+, ChromeOS, Yubikey 5, Nitrokey, Ledger, Trezor + + * Consider software-based WebAuthN/Passkey/U2F as backup + +* Ensure backend systems will only approve large withdrawals if signed by known smart card. + +* Ensure all transaction approval keys are stored in a tamper evident append only database. + + * To achieve this storage systems such as AmazonQLDB, git, Datomic etc. can be used + +* Ensure all key additions are authenticated with a quorum of existing keys + +* Consider allowing quorum of support engineer keys to enroll a new key to handle lost keys + +* Use hash of transaction signing request as challenge to be signed by smart-card + +* Blockchain signature only issued after verification a given request is signed by authorized user smart-card(s) + +## Level 2 + +### Threat Model + +* Adversary is a skilled and resourceful individual targeting one custodian + +* Adversary can: + + * Compromise one team member with privileged access + + * Inject code into any OSS library + + * Exploit any vulnerability within 24h of public knowledge + +### Requirements + +* All production access: + + * MUST NOT be possible by any single engineer + + * Consider a bastion that can enforce m-of-n access over SSH or similar + + * MUST be via dedicated tamper evident workstation + + * Consider: https://github.com/hashbang/book/blob/master/content/docs/security/Production_Engineering.md + + * MUST be anchored to keys in dedicated HSMs held by each administrator + + * Consider GnuPG or PKSC#11 smart cards that support touch-approval for ssh + +* Any code in the transaction signing trust supply chain: + + * MUST build deterministically + + * MUST have extensive and frequent review + + * Example: The Linux kernel has well funded distributed review + + * MUST be signed in version control systems by well known author keys + + * Example: OpenPGP signed git commits + + * MUST be signed by separate subject matter expert after security review + + * If third party code: it MUST be hash-pinned at known reviewed versions + + * MUST be at version with all known related security patches + + * SHOULD be latest versions if security disclosures lag behind releases otherwise N-2 + + * Example: The Linux kernel + + * MUST be built and signed by multiple parties with no management overlay + + * Example: One build by IT, another by Infrastructure team managed CI/CD + + * MUST be signed by well known keys signed by a common CA + + * Example: PGP Smartcards signed under OpenPGP-CA. + + * All private keys involved: + + * MUST NOT ever come in contact with network accessible memory + + * All execution environments MUST be able to attest what binary they run + + * Examples: + + * Custom Secure Boot verifies minimum signatures against CA + + * Cloud enclave that can remotely attest it uses a multi-signed image + + * AWS Nitro Enclave, Google Shielded VMs, etc. + + * App phone stores already anchor to developer held signing keys + +### Reference Design + +* Extend reference design from Level 1 + +* Create offline CA key(s) + +* Consider OpenGPG key generated on airgap using keyfork, backed up, and copies transmitted to a smartcards such as a Yubikey + +* CA key smart cards are stored in dual-access tamper evident locations + +#### User Key Management System + +* Enclave is created which is immutable with no ingress internet access + +* Enclave has random ephemeral key + +* Remotely attested on boot-up against multi-signed and known deterministically built system image + + * Possible on many PCR based measured boot solutions like Heads, AWS Nitro Enclaves, or GCP Shielded VMs + +* Ephemeral enclave key is signed with offline CA key(s) on verification. + +* Enclave has ability to validate append only database of keys + +* Enclave will sign new key additions/removals with ephemeral key if: + + * User has no prior keys + + * Key was signed with an existing key + + * Key was signed with 2+ known support engineer keys + +#### Signing Key Generation + +* M-of-N key holder quorum is selected + + * SHOULD ideally be on different teams + + * SHOULD ideally live in different geographical zones to mitigate natural disaster, and war risk + + * SHOULD have their own OpenPGP smart card with pin and keys only they control + +* Shard keys generated + + * SHOULD be an additional OpenPGP smart card separate from holders personal key + + * SHOULD have random pin, encrypted to a backup shard holder + + * SHOULD be stored in a neutral location only the primary and backup shard holder can access + +* Done in person on air-gapped laptop that has been in dual witnessed custody since procurement + + * TODO link to tamper chain of custody doc + + * Has hardware anchor that can make all parties confident the OS image it is running is expected (Heads, etc) + + * Has two hardware sources of entropy + + * There are devices that can provide an additional source of entropy such as: + + * Quantis QRNG USB + + * TrueRNG + + * Runs known deterministic and immutable OS image compiled by multiple parties + +* Key is generated and stored + + * Split to m-of-n Shamir's Secret Sharing shards + + * Each shard is encrypted to dedicated shard OpenPGP smart card + + * Shard smart card pin is generated randomly + + * Shard smart card pin is encrypted to personal smart cards of primary and backup holders + +#### Signing System + +* Uses an enclave which is immutable with no ingress internet access + +* Has random ephemeral key + +* Remotely attested on boot-up against multi-signed and known deterministically built system image + +* Will accept Shamir's Secret Sharing shards encrypted to random ephemeral key + +* Will restore signing key to memory when sufficient shards are submitted + +* Will only sign transactions if accompanied by signed request by authorized user + + * Is able to validate signing request via CA key authorized user key management enclave signature + +* Will only sign transactions that meet predefined size and rate limits by company policy and insurance levels. + +## Level 3 + +### Threat Model + +* Adversary is an organized group with significant funding + +* Adversary can: + + * Compromise one data center engineer into tampering with a target system + + * Use a sophisticated 0 day vulnerability to compromise any one internet connected system + +### Requirements + +* MUST sign all transactions of significant value by multiple keys in separate geographical locations + + * Consider well vetted open source multi signature, MPC or on-chain threshold signing software + + * Locations MUST be separated by hours of travel + + * Locations MUST not have any staff overlap + + * Signing locations SHOULD distrust other locations + + * Each location SHOULD do their own reproducible build validation + + * Each location SHOULD do their own verifications on all large transactions + +## Level 4 + +### Threat Model + +* Adversary is a state actor + +* Adversary can: + + * Tamper with the supply chain of any single hardware/firmware component + + * Quickly and covertly relocate any device to a lab environment, complete attacks within a short time period, and return the device to its original location + + * Use sophisticated side channel attacks for exfiltrating data, cryptographic material being a high risk target + + * Acoustic (DiskFiltration, Fansmitter, Acoustic Cryptanalysis, sonic cavity resonators, etc.) + + * Optical (VisiSploit, xLED, eavesdropping via vibration analysis etc.) + + * Thermal (BitWhisper) + + * Electrical (Simple Power Analysis (SPA), Differential Power Analysis) + + * Magnetic (ODINI) + + * Electromagnetic (USBee) + + * Radio (NFCDrip, Vapor Trail, RFID, FM, Wifi, Bluetooth, GSM, SATA cable eavesdropping etc) + + * Steganography + + * Use other sophisticated attack types such as: + + * Non-deterministic encryption/signatures/data + + * Differential Fault Analysis (DFA) + + * Data remanence + + * Exfiltrating data via induction of power lines, water pipes, telephone lines, coaxial cable used for televisions and internet etc. + +### Requirements + +* All signing systems: + + * MUST have dual implementations of all policy enforcement and signing logic + + * MUST use two or more unrelated hardware supply chains + + * Example: Rust on RISC-V Linux on an FPGA vs C on PPC Gemalto enclave + + * MUST return deterministic results + + * Results are only exported for chain broadcast if identical + + * MUST be stored in near zero emissions vaults a single user can't open + + * See: NSA TEMPEST + + * MUST ensure that individuals are scanned for devices before entering the vault + + * MUST only communicate with outside world via fiber optic serial terminal + - [ ] TODO do we even want this in the facility? + + * MUST be housed in Class III bank vault or better + + * MUST have constant environment deviation monitoring + + * Thermal, Acoustic, Air quality, Optical + + * MUST destroy key material on significant environment deviations + + * TODO: methods for doing this + + * MUST be accessible physically with cooperative physical access + + * MAY use FF-L-2740B or better locks with dual pin enforcement + + * MAY use dual biometric enforcement to get near area and disarm security ## Additional Threat Model Notes -- 2.40.1