WIP: expand documents to support playbooks for managing specific digital assets #10
|
|
@ -26,10 +26,14 @@
|
|||
|
||||
* Seal the screws on the bottom of the laptop using glitter of chosen color
|
||||
|
|
||||
|
||||
* TODO: Add detail around using glitter with larger pieces and layering several types, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-996
|
||||
|
||||
* Take photographs of the inside of the laptop, then of the outside after it's sealed
|
||||
scjudd
commented
For the image signing: is this an established PGP key with a fingerprint published somewhere? Is there some way for all parties to be certain that the signed images are from Purism and that they have not been replaced by images taken by the individual responsible for procuring the laptop(s)? For the image signing: is this an established PGP key with a fingerprint published somewhere? Is there some way for all parties to be certain that the signed images are from Purism and that they have not been replaced by images taken by the individual responsible for procuring the laptop(s)?
anton
commented
Good question / comment. There are several ways to do this, but we likely want a central repository where we have a set of signed keys that are designated for different things. Good question / comment. There are several ways to do this, but we likely want a central repository where we have a set of signed keys that are designated for different things.
|
||||
|
||||
* The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
|
||||
|
||||
* TODO: Add information about verifying the authenticity of the Purism signing key, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-961
|
||||
|
||||
* The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape
|
||||
|
||||
* TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
|
||||
|
|
|
|||
|
|
@ -34,6 +34,8 @@ The primary tamper proofing methods for the fixed location device are:
|
|||
|
||||
* Approximate time of entry
|
||||
|
||||
* TODO: Document how this access log is implemented.
|
||||
|
||||
4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
|
||||
|
||||
* Ensure that no individual is bringing in any electronic devices. A hand-held or gate metal detector can be used for this.
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@
|
|||
|
||||
## Requirements
|
||||
|
||||
* TODO: Move this into the "provisioner" document, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1002
|
||||
|
||||
* 2 primary operators will be operating the offline machine and online machine
|
||||
|
||||
* Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key)
|
||||
|
|
@ -68,7 +70,7 @@
|
|||
|
||||
0. Plug in SD card labelled "Trusted Keys"
|
||||
|
||||
* Load well known PGP keys of proposer and approver, and sign them using operator keys (NOT IMPLEMENTED)
|
||||
* Load well known PGP keys of proposer and approver, and sign them using operator keys (TODO: NOT IMPLEMENTED)
|
||||
|
||||
* `gpg --import <keyfile_name>`
|
||||
|
||||
|
|
@ -107,13 +109,13 @@
|
|||
|
||||
1. Plug in SD card with transaction payload
|
||||
|
||||
2. Wait for the screen to display the transaction information. (NOT IMPLEMENTED)
|
||||
2. Wait for the screen to display the transaction information. (TODO: NOT IMPLEMENTED)
|
||||
|
||||
* In the background:
|
||||
|
||||
* The transaction is constructed
|
||||
|
||||
|
scjudd
commented
Let's add a Let's add a `TODO` here.
|
||||
* Signatures of tx data are verified against well known keys which were loaded by operators into local GPG keychain and signed by operators (NOT IMPLEMENTED)
|
||||
* Signatures of tx data are verified against well known keys which were loaded by operators into local GPG keychain and signed by operators (TODO: NOT IMPLEMENTED)
|
||||
|
||||
3. If any issues are detected with data you will be prompted and should initiate [incident response (todo)](todo)
|
||||
|
||||
|
|
@ -135,6 +137,8 @@
|
|||
|
||||
|
scjudd
commented
What does this message look like? Is it literally just "completed"? What does this message look like? Is it literally just "completed"?
anton
commented
@ryan can you please share what the message will be? @ryan can you please share what the message will be?
ryan
commented
As we've discussed in the meeting, the message will likely be something along the lines of the Solana blockchain explorer URL to confirm the transaction has been accepted into the cluster. It will look like what I've been posting in my Solana tracker issue. Because this is broadcast on an online machine, we will assume users will be able to shift-click the link to open in browser and confirm the transaction has posted. It would likely look like what I have below, though the wording may change as time goes on. As we've discussed in the meeting, the message will likely be something along the lines of the Solana blockchain explorer URL to confirm the transaction has been accepted into the cluster. It will look like what I've been posting in my Solana tracker issue.
Because this is broadcast on an online machine, we will assume users will be able to shift-click the link to open in browser and confirm the transaction has posted. It would likely look like what I have below, though the wording may change as time goes on.
```
Transaction has been broadcast: https://explorer.solana.com/tx/64Qu7qSBXTtpouNVjDw2h2EwGuimn4CuhpLjUYFvVYReBakQdhAwsFpRfSTeK6vJ8rfZ1nZ5g4orLop589dw8quG?cluster=devnet
```
|
||||
* Shut down the air gapped machine
|
||||
|
||||
* TODO: Add information about material disposal, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
|
||||
|
||||
#### Sealing
|
||||
|
||||
{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
|
||||
|
|
|
|||
|
|
@ -40,6 +40,8 @@ This guide contains specific equipment models: [guide](../../../../tamper-eviden
|
|||
|
||||
* SD cards
|
||||
|
||||
* TODO: Add clarification around formatting and labeling SD cards, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
|
||||
|
||||
* [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb)
|
||||
|
||||
* [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248)
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@ The following steps must all be completed under the continued supervision and wi
|
|||
|
||||
3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which is ideally just a access controlled space. The bag MUST be a sealable see-through tamper evident bag.
|
||||
|
scjudd
commented
So we're unboxing the device at this point to place in a tamper evident bag? I'm assuming this isn't a vacuum sealed bag with confetti, but maybe it is? Should we include a better description of the bags to be used, where to procure them? I'm also generally unclear on why this is necessary. Won't the device be in the custody of at least two people at this point? So we're unboxing the device at this point to place in a tamper evident bag? I'm assuming this isn't a vacuum sealed bag with confetti, but maybe it is? Should we include a better description of the bags to be used, where to procure them?
I'm also generally unclear on why this is necessary. Won't the device be in the custody of at least two people at this point?
anton
commented
Yes this is separate from the more advanced tamper proofing. No need to unbox, it can be left in the box then put into the bag. The main point of the see-through bag is to make it harder to replace the hardware while traveling from the store to the location where proper tamper proofing will be applied. Usually these sealable bags have a number on them, so that makes it harder to swap them out. You can each also write a note and include it inside of the bag with a random nonce, that only each individual knows. Imagine traveling from the store back to the office. Ideally both people keep continual eye contact with the laptop, but you may end up in scenarios where you lose line of sight briefly. For example, someone is getting into the car while holding just a laptop in their hand. You are on one side of the car, and they are on the other. If they are wearing a jacket they could slip it into inner jacket pocket and pull out a different one. You can imagine a number of other scenarios like this where a quick slight of hand is enough to swap the laptop or other hardware, especially when it's small. It may seem unnecessary but it does practically make things a bit easier in the sense that you can look away for 5 seconds, and be able to verify with high degree of certainty that the laptop wasn't replaced - which you can't do if the laptop is just being carried in a hand (whether in a box or not). You may choose to not do this, but we have done this in person, and having the see-through bag does help. Yes this is separate from the more advanced tamper proofing. No need to unbox, it can be left in the box then put into the bag.
The main point of the see-through bag is to make it harder to replace the hardware while traveling from the store to the location where proper tamper proofing will be applied. Usually these sealable bags have a number on them, so that makes it harder to swap them out. You can each also write a note and include it inside of the bag with a random nonce, that only each individual knows.
Imagine traveling from the store back to the office. Ideally both people keep continual eye contact with the laptop, but you may end up in scenarios where you lose line of sight briefly. For example, someone is getting into the car while holding just a laptop in their hand. You are on one side of the car, and they are on the other. If they are wearing a jacket they could slip it into inner jacket pocket and pull out a different one. You can imagine a number of other scenarios like this where a quick slight of hand is enough to swap the laptop or other hardware, especially when it's small.
It may seem unnecessary but it does practically make things a bit easier in the sense that you can look away for 5 seconds, and be able to verify with high degree of certainty that the laptop wasn't replaced - which you can't do if the laptop is just being carried in a hand (whether in a box or not). You may choose to not do this, but we have done this in person, and having the see-through bag does help.
scjudd
commented
This makes sense. Please include information on where to source these. I imagine they're pretty big, if they can hold an entire boxed laptop. This makes sense. Please include information on where to source these. I imagine they're pretty big, if they can hold an entire boxed laptop.
|
||||
|
||||
* TODO: Add sources for suitable tamper evidence bags, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-897
|
||||
|
||||
4. At the processing location, one of the individuals is responsible for observing while the other opens the back of the laptop and removes:
|
||||
|
||||
* Radio cards (wifi, bluetooth)
|
||||
|
|
@ -32,6 +34,8 @@ The following steps must all be completed under the continued supervision and wi
|
|||
|
||||
Each laptop model is laid out slightly differently so use an online reference and/or read the names of the components which are found in the laptop to determine which parts to remove.
|
||||
|
||||
* TODO: Add example online reference, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-898
|
||||
|
||||
5. Apply a [tamper proofing](./tamper-evidence-methods.md) method to the device depending on the [device designation](TODO)
|
||||
|
||||
## Tested Hardware (AirgapOS Compatibility)
|
||||
|
|
|
|||
In my experience, the glitter on the screws was difficult to verify from photographs. I personally had a reasonable degree of confidence that the glitter matched the photographs, but I was the only one of three of people who was able to say so with any confidence.
Is there something different we can do here? Have you guys inquired whether Purism is able to do the same sort of vacuum sealing with confetti/beads/whatever that is described in these docs around tamper evidence?
Yes the glitter can be a bit tricky to verify. One thing that helps is glitter with larger pieces in it, which are easier to detect. If you use several types of glitter nail polish, layered, it's much easier to detect. Taking closeups also helps a lot..
I have tried to reach out to Purism about vacuum sealing equipment but they have not responded yet - they have been very slow. I will try to follow up.