WIP: expand documents to support playbooks for managing specific digital assets #10
|
|
@ -2,6 +2,7 @@
|
|||
* [Introduction](intro.md)
|
||||
* [Threat Model](threat-model.md)
|
||||
* [Selecting a Quorum](selecting-quorum.md)
|
||||
* [System Roles](system-roles.md)
|
||||
* [Software](software.md)
|
||||
* [Hardware](hardware.md)
|
||||
* [Glossary](glossary.md)
|
||||
|
|
|
|||
|
|
@ -42,4 +42,44 @@
|
|||
|
||||
* TODO: add more details around how the storage of images should work
|
||||
|
||||
* TODO: ensure there is a pgp doc that can be linked to (for setup and use)
|
||||
* TODO: ensure there is a pgp doc that can be linked to (for setup and use)
|
||||
|
||||
---
|
||||
|
||||
TODO: integrate this
|
||||
|
||||
### Fixed Location Device
|
||||
|
||||
This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls.
|
||||
|
||||
The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does.
|
||||
* TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops
|
||||
|
||||
The primary tamper proofing methods for the fixed location device are:
|
||||
|
||||
* Heads firmware protection (TODO link to document which explains how to set up Purism)
|
||||
|
||||
* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing)
|
||||
|
||||
* On-premises audio and visual monitoring (TODO select appropriate equipment)
|
||||
|
||||
* Physical vault (TODO find adequate vaults)
|
||||
|
||||
#### Procedure
|
||||
|
||||
If at any moment one of the individual has to leave, the Sealing procedure should be performed and both parties should exit the room. For prolonged sessions consider having 3 operators present in order to be able to have 1 individual leave while still having 2 witnesses present in the operating room.
|
||||
|
||||
##### Unsealing
|
||||
* TODO (before entering room review monitoring video / audio to see if there was intrusion)
|
||||
1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility
|
||||
2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used
|
||||
3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions
|
||||
4. Check the screws on the bottom of the laptop to ensure that they have not been removed
|
||||
4. Use the hardware token set up for that laptop in order to verify that the laptop firmware has not been tampered
|
||||
5. Proceed with [booting sequence](TODO) depending on the type of action being performed
|
||||
|
||||
##### Sealing
|
||||
1. Shut down machine
|
||||
2. Remove and store the hardware token in it's appropriate location
|
||||
3. Place the laptop in the safe and lock it
|
||||
4. Exit the facility.
|
||||
|
|
@ -62,6 +62,9 @@ secret.
|
|||
|
||||
## Secure Compartmentalized Information Facility (SCIF)
|
||||
|
||||
## [RFC2119](https://www.rfc-editor.org/rfc/rfc2119) and [RFC8174](https://www.rfc-editor.org/rfc/rfc8174)
|
||||
|
||||
Specifications for keywords such as MUST, MUST NOT, SHOULD, SHOULD NOT, MAY etc.
|
||||
|
||||
## Workstation
|
||||
|
||||
|
|
|
|||
|
|
@ -5,15 +5,15 @@ tooling which facilitates the creation and maintenance of highly resilient
|
|||
[quorum](glossary.md#quorum)-based key management systems based on a strict
|
||||
[threat model](threat-model.md) which can be used for a variety of different
|
||||
cryptographic algorithms. The system was designed and developed by
|
||||
[Distrust](https://distrust.co), with the generous support of the following
|
||||
sponsors: TODO.
|
||||
[Distrust](https://distrust.co), with the generous support of sponsors.
|
||||
|
||||
The basic premise of QKM is that primary cryptographic material akin to a root
|
||||
certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated
|
||||
during a secure key derivation ceremony, and then used to derive chosen
|
||||
cryptographic material via different algorithms such as PGP keys, digital asset
|
||||
wallets, web certificates and more. The system was designed with extensibility
|
||||
in mind.
|
||||
wallets, web certificates and more.
|
||||
|
||||
Currently there is a set of an opinionated set of playbooks for working with OpenPGP and blockchains is in development, and will be extended to digital certificates, FIDO secrets and more in the future.
|
||||
|
||||
The RE is sharded using [Shamir's Secret Sharing (SSS)](glossary.md#shamirs-secret-sharing-sss)
|
||||
to a [Quorum](glossary.md#quorum) in order to protect it from single points of
|
||||
|
|
@ -43,7 +43,7 @@ a cold signing setup.
|
|||
## Playbooks
|
||||
|
||||
QKM can be set up by using a set of highly opinionated playbooks which outline
|
||||
the process. The documentation should be read in its entirety by all
|
||||
the process. The base documentation should be read in its entirety by all
|
||||
participants of the ceremony in order to ensure that the system is well
|
||||
understood by all to ensure that the integrity of the process is preserved and
|
||||
enforced.
|
||||
|
|
|
|||
|
|
@ -1 +1,6 @@
|
|||
# One Time Use Laptop Ceremony
|
||||
|
||||
#### Threat Model
|
||||
One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards.
|
||||
|
||||
- [ ] isn't the only difference between this and portable multi use that the laptop is resealed?
|
||||
|
|
@ -4,9 +4,9 @@
|
|||
|
||||
* MUST have physical access control to prevent inflow and outflow of personnel during ceremony
|
||||
|
||||
* SHOULD not have electronics in it as they can be used for side channel attacks
|
||||
* SHOULD NOT have electronics in it as they can be used for side channel attacks
|
||||
|
||||
* SHOULD not have windows to prevent exfiltration of data via light or observation of screen
|
||||
* SHOULD NOT have windows to prevent exfiltration of data via light or observation of screen
|
||||
|
||||
## Location Examples
|
||||
|
||||
|
|
|
|||
|
|
@ -19,3 +19,11 @@
|
|||
6. Follow the [coin playbook](TODO)
|
||||
|
|
||||
|
||||
7. Once the ceremony is over use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to seal the laptop.
|
||||
|
||||
---
|
||||
|
||||
TODO: integrate
|
||||
|
||||
### Portable Multi-Use Device
|
||||
|
||||
This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses.
|
||||
|
|
|
|||
|
|
@ -42,3 +42,8 @@ This software is the backbone for all cryptographic actions performed as part
|
|||
of QKM. It was developed by [Distrust](https://distrust.co) and is included
|
||||
with AirgapOS and has been audited by two firms, NCC and Cure53 with no
|
||||
significant vulnerabilities found.
|
||||
|
||||
|
||||
## [Icepick](https://git.distrust.co/public/icepick)
|
||||
|
||||
Icepick is a framework for rapidly developing applications to perform transfer and staking cryptocurrency operations. It works synergistically with `keyfork` which derives keys which are then used by `icepick`.
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
# System Roles
|
||||
|
||||
There are several roles which are required to properly operate the QKM system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QKM.
|
||||
|
||||
To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum.
|
||||
|
||||
## General Requirements
|
||||
|
||||
Individuals who are selected for the roles:
|
||||
|
||||
* MUST have background checks conducted
|
||||
|
||||
* MUST have a clearly defined set of responsibilities
|
||||
|
||||
* MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information
|
||||
|
||||
|
||||
## Operator
|
||||
|
||||
Trained on how the QKM system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system.
|
||||
|
||||
Operators conduct ceremonies and ensure that the controls around the QKM system are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QKM system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more.
|
||||
|
||||
As a QKM grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns.
|
||||
|
||||
## Approver
|
||||
|
||||
This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QKM system but related decision making may be under the purview of an Approver - for example what amount of digital assets to transfer and where.
|
||||
|
||||
## Witness
|
||||
|
||||
QKM relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QKM system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred.
|
||||
|
|
@ -16,7 +16,7 @@ Tamper evident methods need to be:
|
|||
|
||||
There are three reasonably secure methods which have been identified and are explored in this document that can be used in different contexts:
|
||||
|
||||
* Vacuum sealed bags along with colored filler
|
||||
* Vacuum sealing objects surrounded by colored filler
|
||||
|
||||
* Glitter on screws
|
||||
|
||||
|
|
@ -24,7 +24,7 @@ There are three reasonably secure methods which have been identified and are exp
|
|||
|
||||
## Vacuum Sealed Bags With Filler
|
||||
|
||||
One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the colored objects around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again.
|
||||
One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the filler around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again - allowing one to verify that the arrangement of the filler has not changed.
|
||||
|
||||
### Threat Model
|
||||
|
||||
|
|
@ -123,59 +123,6 @@ Pick a location for the station, and attach the LED light and the camera to the
|
|||
|
||||
|
||||
|
||||
---
|
||||
|
||||
### One Time Use Device
|
||||
|
||||
#### Threat Model
|
||||
One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards.
|
||||
|
||||
- [ ] Destroying hardware
|
||||
- [ ] isn't the only difference between this and portable multi use that the laptop is resealed?
|
||||
|
||||
---
|
||||
|
||||
### Portable Multi-Use Device
|
||||
|
||||
This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses.
|
||||
|
||||
---
|
||||
|
||||
### Fixed Location Device
|
||||
|
||||
This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls.
|
||||
|
||||
The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does.
|
||||
* TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops
|
||||
|
||||
The primary tamper proofing methods for the fixed location device are:
|
||||
|
||||
* Heads firmware protection (TODO link to document which explains how to set up Purism)
|
||||
|
||||
* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing)
|
||||
|
||||
* On-premises audio and visual monitoring (TODO select appropriate equipment)
|
||||
|
||||
* Physical vault (TODO find adequate vaults)
|
||||
|
||||
#### Procedure
|
||||
|
||||
If at any moment one of the individual has to leave, the Sealing procedure should be performed and both parties should exit the room. For prolonged sessions consider having 3 operators present in order to be able to have 1 individual leave while still having 2 witnesses present in the operating room.
|
||||
|
||||
##### Unsealing
|
||||
* TODO (before entering room review monitoring video / audio to see if there was intrusion)
|
||||
1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility
|
||||
2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used
|
||||
3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions
|
||||
4. Check the screws on the bottom of the laptop to ensure that they have not been removed
|
||||
4. Use the hardware token set up for that laptop in order to verify that the laptop firmware has not been tampered
|
||||
5. Proceed with [booting sequence](TODO) depending on the type of action being performed
|
||||
|
||||
##### Sealing
|
||||
1. Shut down machine
|
||||
2. Remove and store the hardware token in it's appropriate location
|
||||
3. Place the laptop in the safe and lock it
|
||||
4. Exit the facility.
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,8 @@ which had radio networking cards (bluetooth, wifi etc.) removed
|
|||
|
||||
* Leveraging tamper evident controls for components related to the system
|
||||
|
||||
* Leveraging frequency blocking methods such as TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) and soundproofing
|
||||
|
||||
## General Threat Model Assumptions
|
||||
|
||||
Some additional assumptions are made to help contextualize the threat model:
|
||||
|
|
@ -60,6 +62,8 @@ Some additional assumptions are made to help contextualize the threat model:
|
|||
|
||||
* Physical attacks are viable and likely
|
||||
|
||||
* Side-channel attacks are viable and likely
|
||||
|
||||
|
||||
## Additional Threat Model Notes
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
coins won't be the only type of ceremony.
I think it will be easiest to have these split into multiple docs, probably a total of 5.