WIP: expand documents to support playbooks for managing specific digital assets #10

Draft
anton wants to merge 7 commits from feat/tamper-proofing-chain-of-custody into main
18 changed files with 798 additions and 95 deletions

View File

@ -2,23 +2,32 @@
* [Introduction](intro.md)
* [Threat Model](threat-model.md)
* [Selecting a Quorum](selecting-quorum.md)
* [System Roles](system-roles.md)
* [Software](software.md)
* [Hardware](hardware.md)
* [Glossary](glossary.md)
* [Preparations]()
* [Repeat Use]()
* [Flash PureBoot to Librem](flash-pureboot-firmware.md)
* [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
* [Change Smart Card PINs](setting-smart-card-pins.md)
* [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
* [AirgapOS Setup](repeat-use-airgapos.md)
* [`autorun.sh` Setup](autorun-sh-setup.md)
* [Secure Boot Sequence](secure-boot-sequence.md)
* [Selecting Locations](locations.md)
* [Verifying Signatures](verifying-signatures.md)
* [Tamper Evidence Methods](tamper-evidence-methods.md)
* [One Time Use]()
* [Procure Hardware](one-time-use-hardware-procurement.md)
* [Fixed Location Reusable Laptop]()
* [Location](locations.md)
* [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
* [PureBoot]()
* [Flash PureBoot to Librem](flash-pureboot-firmware.md)
* [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
* [Change Smart Card PINs](setting-smart-card-pins.md)
* [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
* [PureBoot Boot Sequence](secure-boot-sequence.md)
* [AirgapOS Setup]()
* [AirgapOS Setup](repeat-use-airgapos.md)
* [`autorun.sh` Setup](autorun-sh-setup.md)
* [One Time Use / Portable Use]()
* [Location](one-time-use-locations.md)
* [Procure Hardware](hardware-procurement-and-chain-of-custody.md)
* [AirgapOS Setup](one-time-use-airgapos.md)
* [Repository Setup](one-time-repository-setup.md)
* [Selecting Locations](one-time-use-locations.md)
@ -38,6 +47,11 @@
* [Online Artifact Storage](public-ceremony-artifact-storage.md)
* [Physical Artifact Storage](physical-artifact-storage.md)
* [Coin Ceremonies]()
* [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md)
* [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md)
* [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md)
* [Lifecycle Management]()
* [Destroying Hardware](hardware-destruction.md)
* [Storage Device Management](storage-device-management.md)

View File

@ -0,0 +1,41 @@
# Procure Hardware
1. Select a librem 14 laptop from https://puri.sm, and ensure:
* Memory: 8GB
* Storage: 250GB
* Power Adapter Plug: US
* Wireless: No wireless
* Firmware: PureBoot Bundle Anti-Interdiction (PureBoot Bundle Plus + Anti-interdiction services)
* Operating System: PureOS
* Warranty: 1 Year
* Privacy Screen: Privacy Screen for Librem 14
* USB Flash Drive: No USB Flash Drive
2. Purism will reach out via email and establish secure communications using PGP, so ensure that the individual who is in charge of procurement has a PGP key that's been set up securely. Purism will:
* Modify the laptop as per order specifications, in this case removing radio cards.
* Seal the screws on the bottom of the laptop using glitter of chosen color
* Take photographs of the inside of the laptop, then of the outside after it's sealed
* The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
* The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape
* TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
* The laptop will be sealed in a box using tamper proofing tape
3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact.
4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](tamper-evidence-methods.md) should be applied to the laptop before it's stored.

View File

@ -0,0 +1,85 @@
# Fixed Location Reusable Laptop Ceremony
1. Select at least two authorized operators who will be participating in the ceremony
2. Print photographs of tamper proofing of the laptop which will be used for the ceremony
3. Make an entry into the access log, specifying the:
* Individuals involved
* Approximate time of entry
4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
5. Access the laptop safe, and move the laptop, its hardware token, and polaroid to the Tamper Proofing Workstation
* Compare the polaroid and digital photographs for any differences
* Then compare the photographs to the actual object
* If there are any issues detected, initiate incident response
6. Initiate the [Secure Boot Sequence](secure-boot-sequence.md)
7. Use one of the [Coin Playbooks]() to perform actions for a given coin
* TODO...
8. Once the ceremony is completed, use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to reseal and photograph the laptop
* Use a new SD card for taking photographs of the sealed laptop
9. Remove the SD card from the camera and use chain of custody principles to ensure the integrity of the data
10. Place the sealed laptop and signed polaroids, as well as the hardware token back in the safe
11. Exit the SCIF and lock it
12. Update the log with the exit time
13. Upload the photos to a git repository, ensuring the commit is signed using PGP
* TODO: add more details around how the storage of images should work
* TODO: ensure there is a pgp doc that can be linked to (for setup and use)
---
TODO: integrate this
### Fixed Location Device
This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls.
The fixed location should include a work-station which makes it easy to perform the [tamper proofing](todo) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does.
* TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops
The primary tamper proofing methods for the fixed location device are:
* Heads firmware protection (TODO link to document which explains how to set up Purism)
* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing)
* On-premises audio and visual monitoring (TODO select appropriate equipment)
* Physical vault (TODO find adequate vaults)
#### Procedure
If at any moment one of the individual has to leave, the Sealing procedure should be performed and both parties should exit the room. For prolonged sessions consider having 3 operators present in order to be able to have 1 individual leave while still having 2 witnesses present in the operating room.
##### Unsealing
* TODO (before entering room review monitoring video / audio to see if there was intrusion)
1. Ensure that there are at least 2 individuals present who are authorized present before entering the facility
2. Ensure that nobody is carrying any type of electrical device on them. To achieve this a metal detection gate or a hand-held metal detector may be used
3. Gain access to the safe, and take out a laptop which will be used for performing cryptographic actions
4. Check the screws on the bottom of the laptop to ensure that they have not been removed
4. Use the hardware token set up for that laptop in order to verify that the laptop firmware has not been tampered
5. Proceed with [booting sequence](TODO) depending on the type of action being performed
##### Sealing
1. Shut down machine
2. Remove and store the hardware token in it's appropriate location
3. Place the laptop in the safe and lock it
4. Exit the facility.

View File

@ -60,6 +60,12 @@ which is set at the time of initial sharding, expressed as M of N, or in other
words M shards of the total N shards in existence are required to reveal the
secret.
## Secure Compartmentalized Information Facility (SCIF)
## [RFC2119](https://www.rfc-editor.org/rfc/rfc2119) and [RFC8174](https://www.rfc-editor.org/rfc/rfc8174)
Specifications for keywords such as MUST, MUST NOT, SHOULD, SHOULD NOT, MAY etc.
## Workstation
Highly secure computer which is used for sensitive operations, typically in the
@ -133,3 +139,6 @@ importantly the Root Entropy was never exposed.
* [Version Control Systems](software.md#version-control-system-vcs):
* We tolerate a loss of all but one DR storage backend
* A minimum of three storage backends should be maintained
## MICE
A mnemonic device used in counterintelligence training to remind trainees of the four general motivations that could lead someone to commit treason, become an insider threat, or collaborate with a hostile agency or organization. It stands for Money, Ideology, Compromise, and Ego.

View File

@ -0,0 +1,39 @@
# Procurement & Chain of Custody
## Provisioning Chain of Custody
Materials and devices which are used in the context of a high assurance system need to be monitored carefully from the moment they are purchased to ensure there are no single points of failure. Going back to the assumption that participants in the system are subject to [MICE](./glossary.md#MICE) and as such may pose a threat to the system, special care has to be taken that multiple individuals are involved in the whole lifecycle of provisioning a piece of equipment.
All steps of the provisioning process need to be completed under the supervision of at least 2 individuals, but benefit from having even more individuals present to increase the number of witnesses and allow individuals to take washroom breaks, purchase food and take breaks.
The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual.
## Provisioning Hardware
1. Selecting a Purchase Location
Select at least 3 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method.
This is done in order to reduce the likelihood that a threat actor is able to plant a compromised computer in a store.
2. Within the store, identify available adequate laptops from the list of [tested hardware](#tested-hardware-airgapos-compatibility). Alternatively bring an SD card with AirgapOS, and test booting to it on the device on the store floor before purchasing it.
3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location" (TODO define processing location).
4. At the processing location, one of the individuals is responsible for observing while the other opens the back of the laptop and removes:
* Radio cards (wifi, bluetooth)
* Storage drive
* Speakers
* Microphone
Each laptop model is laid out slightly differently so use an online reference and/or read the names of the components which are found in the laptop to determine which parts to remove.
5. Apply a [tamper proofing](./tamper-evidence-methods.md) method to the device depending on the [device designation](TODO)
## Tested Hardware (AirgapOS Compatibility)
* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99

View File

@ -5,15 +5,15 @@ tooling which facilitates the creation and maintenance of highly resilient
[quorum](glossary.md#quorum)-based key management systems based on a strict
[threat model](threat-model.md) which can be used for a variety of different
cryptographic algorithms. The system was designed and developed by
[Distrust](https://distrust.co), with the generous support of the following
sponsors: TODO.
[Distrust](https://distrust.co), with the generous support of sponsors.
The basic premise of QKM is that primary cryptographic material akin to a root
certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated
during a secure key derivation ceremony, and then used to derive chosen
cryptographic material via different algorithms such as PGP keys, digital asset
wallets, web certificates and more. The system was designed with extensibility
in mind.
wallets, web certificates and more.
Currently there is a set of an opinionated set of playbooks for working with OpenPGP and blockchains is in development, and will be extended to digital certificates, FIDO secrets and more in the future.
The RE is sharded using [Shamir's Secret Sharing (SSS)](glossary.md#shamirs-secret-sharing-sss)
to a [Quorum](glossary.md#quorum) in order to protect it from single points of
@ -43,7 +43,7 @@ a cold signing setup.
## Playbooks
QKM can be set up by using a set of highly opinionated playbooks which outline
the process. The documentation should be read in its entirety by all
the process. The base documentation should be read in its entirety by all
participants of the ceremony in order to ensure that the system is well
understood by all to ensure that the integrity of the process is preserved and
enforced.

View File

@ -1,7 +1,7 @@
# Location
Locations refer to physical points in space which are used for storing
cryptographic material or performing actions related to the DRK lifecycle and
cryptographic material or performing actions using the cryptographic material and
adhere to a set of criteria which focus on achieving a high level of security -
specifically with respect to:
@ -66,7 +66,7 @@ standard NATO SDIP-27 Level A
locations simultaneously
* SHOULD be facilities owned by different organizations to reduce the risk of
collusion unless the organization who owns the DRK has their own facility such
as a SCIF (Secure Compartmentalized Information Facility)
collusion unless the organization who owns the QKM system has their own facility such
as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
* SHOULD have seismic detectors

View File

@ -6,18 +6,9 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
## Setup Steps
* Clone the latest AirgapOS version:
* `git clone git@distrust.co:public/airgap.git`
* Build the image:
* `cd airgap && make`
* Verify `sha256sum` of airgap matches hashes in `/dist`
* Verify signatures on the hashes in `/dist`. The maintainer pgp keys can be found on the [Distrust contact page](https://distrust.co/contact.html) page.
* Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
* Verify the software according to [this](verifying-signatures.md) guide
* Flash `airgap.iso` to an SD Card:

View File

@ -1,33 +0,0 @@
# Procure Hardware
* Procure a laptop, and SD cards from a randomly selected store. A randomly
selected store is used in order to reduce the possibility of a malicious actor
having time to plant compromised hardware at the store, and/or make arrangements
by coercing store staff to sell compromised hardware to the quroum team. Of
course, there still may be hardware that's compromised being sold, but is less
likely to specifically target the quorum group.
* Ensure at least 2 people are in line of sight of access to all of the
equipment, for example a bag carried in hand, until the ceremony is executed.
This is done in order to eliminate the possibility of the equipment being
swapped for compromised hardware.
* The laptop should ideally support booting from an SD card and have a built in
micro or standard SD card reader; if this is not possible, USB SD card reader
should be purchased.
* Dell laptops tend to have support for booting from SD cards so they are a
good option.
* The store and laptop model should be selected on the spot via consensus of at
least 2 members of the Quorum. This is done for several reasons:
* To ensure that no time is given to a malicious actor to deploy
compromised hardware to the store
* To reduce likelihood that arrangements can be made by a malicious actor
for the store to sell compromised hardware to the Quorum team
* Note that a secondary computer, or secondary SD card with bootable OS will be
required in order to be able to verify the flashed AirgapOS SD card right before
the ceremony.

View File

@ -0,0 +1,6 @@
# One Time Use Laptop Ceremony
#### Threat Model
One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards.
- [ ] isn't the only difference between this and portable multi use that the laptop is resealed?

View File

@ -1,19 +1,20 @@
# Selecting Locations
Secure a randomly selected location that has a private space with EM shielding,
or no electronics in at least a 10 m radius. A moving vehicle (eg. car, bus,
train, ferris wheel) is also a viable alternative. Additionally, the ceremony
may be conducted in an open outdoor space, such as a forest, or a desert, at a
location that is an open space not near any objects and ideally on a hard surface
such as rock to prevent hidden devices in the ground. The point of narrowing the
location selection to these spaces is that it makes it hard for a malicious
actor to prepare for the ceremony and deploy equipment for side-channel attacks
- with the intent of stealing the cryptographic material which is produced or
managed during key ceremonies.
* MUST be selected at random right before the ceremony
The location should be selected immediately before the ceremony in order to
eliminate the possibility of a malicious actor having time to infiltrate and
compromise the space ahead of the ceremony. The location may be compromised
anyways, as a malicious actor may have done so with another target in mind, or a
more broad campaign, for example in the case for three letter agencies may plant
cameras and microphones in hotels for intel gathering.
* MUST have physical access control to prevent inflow and outflow of personnel during ceremony
* SHOULD NOT have electronics in it as they can be used for side channel attacks
* SHOULD NOT have windows to prevent exfiltration of data via light or observation of screen
## Location Examples
* A hotel room although it is relatively common to find spying devices in them so they are not a great choice
* A moving vehicle such as car, bus, train, ferris wheel given that the operator is able to secure a space which can be locked and has no strangers in it
* Open space with nobody around such as a forest, desert, large parking lot etc.
Despite all these measures, the location may be compromised anyways, as a malicious actor may have done so with another target in mind, or a more broad campaign, for example in the case for three letter agencies may plant cameras and microphones in hotels for intel gathering. For this reason it is always highly preferred to perform cryptographic actions in a properly secured facility such as a SCIF.

View File

@ -0,0 +1,29 @@
# Portable Reusable Laptop Ceremony
1. Procure a laptop set up for portable use.
* A polaroid of the laptop tamper evidence should be carried on person at all times
* A vacuum sealer, and plastic beads will be necessary in order to be able to re-seal the laptop after use
Review

plastic beads, beans, confetti, foam pellets, or other similarly loose non-uniform material

plastic beads, beans, confetti, foam pellets, or other similarly loose non-uniform material
Review

Also any time we say something like this, people ask right away for reference hardware they can go buy.

Any time we suggest any items someone has to source, we should include a minimum of two specific reference products that fit the bill.

Also any time we say something like this, people ask right away for reference hardware they can go buy. Any time we suggest any items someone has to source, we should include a minimum of two specific reference products that fit the bill.
* A polaroid and digital camera are also required
2. The laptop can be left stored in a hidden location or ideally in a safe
Review

Honestly I would recommend keeping it with them as often as possible, or a safe, or worst case put it in the hands of people whose entire career hinges on full time supervised storage like a bag check at a hotel bellhop.

Honestly I would recommend keeping it with them as often as possible, or a safe, or worst case put it in the hands of people whose entire career hinges on full time supervised storage like a bag check at a hotel bellhop.
3. Select a secure [location]()
4. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony.
5. Unseal the laptop using the [Unsealing Procedure](tamper-evidence-methods.md#procedure)
6. Follow the [coin playbook](TODO)
Review

coins won't be the only type of ceremony.

I think it will be easiest to have these split into multiple docs, probably a total of 5.

  1. Tamper Evidence (Maybe break it down into stacking security levels with their own threat models like 1, 2, 3)
  2. one time ceremony (usage only)
  3. on premise ceremony (usage only)
  4. field ceremony (will reference doing tamper evident (usage only)
coins won't be the only type of ceremony. I think it will be easiest to have these split into multiple docs, probably a total of 5. 1. Tamper Evidence (Maybe break it down into stacking security levels with their own threat models like 1, 2, 3) 2. one time ceremony (usage only) 2. on premise ceremony (usage only) 3. field ceremony (will reference doing tamper evident (usage only)
7. Once the ceremony is over use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to seal the laptop.
---
TODO: integrate
### Portable Multi-Use Device
This type of device is essentially just a "One Time Use" device, with the added caveat that the operator has a tamper proofing method available to protect the device between uses. The device can not be trusted by other individuals, but only by the individual who used the device, as there are no other witnesses.

View File

@ -4,23 +4,9 @@ This section can be completed on any machine.
AirgapOS has `keyfork` built into it for cryptographic operations such as key
derivation.
1. Clone the `AirgapOS` repository locally or download it as a zip
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
To clone use the following command in the terminal:
```
cd ~
git clone git@distrust.co:public/airgap.git
```
To download as a ZIP from https://git.distrust.co/public/airgap:
![Downloading AirgapOS as ZIP](img/download-airgap-os.png)
2. Navigate into the `airgap` repository locally, and build the iso image.
```
cd ~/airgap
make reproduce
```
The resulting iso will be located in `airgap/out/`
2. Verify the software according to [this](verifying-signatures.md) guide
3. Place signed .iso on a storage device

View File

@ -42,3 +42,8 @@ This software is the backbone for all cryptographic actions performed as part
of QKM. It was developed by [Distrust](https://distrust.co) and is included
with AirgapOS and has been audited by two firms, NCC and Cure53 with no
significant vulnerabilities found.
## [Icepick](https://git.distrust.co/public/icepick)
Icepick is a framework for rapidly developing applications to perform transfer and staking cryptocurrency operations. It works synergistically with `keyfork` which derives keys which are then used by `icepick`.

View File

@ -0,0 +1,32 @@
# System Roles
There are several roles which are required to properly operate the QKM system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QKM.
To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum.
## General Requirements
Individuals who are selected for the roles:
* MUST have background checks conducted
* MUST have a clearly defined set of responsibilities
* MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information
## Operator
Trained on how the QKM system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system.
Operators conduct ceremonies and ensure that the controls around the QKM system are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QKM system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more.
As a QKM grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns.
## Approver
This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QKM system but related decision making may be under the purview of an Approver - for example what amount of digital assets to transfer and where.
## Witness
QKM relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QKM system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred.

View File

@ -0,0 +1,137 @@
# Tamper Evidence Methods
There are different methods which can be used to ensure that objects have not been tampered between uses. This is especially relevant for equipment such as laptops. Each method comes with tradeoffs, and in the context of high assurance security it is instrumental to understand the tradeoffs in order to achieve an adequate level of confidence that supplies such as computers used for high risk operations retain their integrity.
There are a number of common methods which appear to provide a reasonable level of tamper evidence, but in fact do not. It is worth noting a few examples of these such as using tamper evident tape, or even glitter if done improperly. This document will focus on illustrating adequate methods, rather than enumerating ones that are inadequate.
## Properties
Tamper evident methods need to be:
* Difficult to circumvent
* Simple to set up
* Simple to verify
There are three reasonably secure methods which have been identified and are explored in this document that can be used in different contexts:
* Vacuum sealing objects surrounded by colored filler
* Glitter on screws
* Heads / Pureboot for secure boot
## Vacuum Sealed Bags With Filler
One of the most reliable methods for ensuring tamper evidence relies on the randomness and difficulty of placing small objects henceforth referred to as "filler" (colored rice, lentils, confetti) in a transparent bag to encase an object which is then vacuum sealed. By placing an object in a transparent, vacuum sealable bag and surrounding it with filler, an arrangement of the filler around the object in the bag can be achieved which is difficult to reproduce. Upon sealing the object in this manner, photos can be taken to use as a reference once the object is accessed again - allowing one to verify that the arrangement of the filler has not changed.
### Threat Model
There are no known attacks for this type of tamper proofing method when executed properly. The main sources of risk stem from consistent and repeatable photography and comparison of photographs to ensure that any changes can be detected.
If photographs are not cryptographically signed, they can also be manipulated and/or replaced which could result in the compromise of the system as well.
The reason this method is effective is because unlike with many other methods that tamper proof a specific part of an object, such as applying glitter to screws which leaves device ports exposed, or using cryptographic signing to verify the hardware has not been modified, still leaving the door to physical modifications, vacuum sealing with colored filler encases the entire object in a tamper evident manner.
### Adequate Filler
To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. They may be made of different materials as well.
### Additional Considerations
* This strategy may be layered, for example if one chooses to apply it to a hardware token, the sealed hardware token can be placed inside of a bigger bag, along with a laptop.
* A similar method can be used but with a bin filled with filler that the object is placed into. The main disadvantage here is that this type of tamper proofing is not resistant to seismic activity, air movement, or other sourced of vibration which could shift filler around.
### Procedure
#### Requirements
* Vacuum sealer
* Sealing bags of standard size objects which need to be protected can fit in. The bags should be perfectly see through, rather than with writing or any irregularities in the plastic which can obfuscate the view of the inside of the bag.
* Variety of beads of different sizes and colors
#### Sealing
1. Insert object into plastic bag
2. Fill bag with enough plastic beads that all of the object is surrounded
3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move
4. Use the [Tamper Proofing Station](#tamper-proofing-station) to take a photograph of both sides of the sealed object using both the digital and polaroid camera
5. Take the SD card to an online connected device and commit the photograph to a repository, ensuring the commit is signed
#### Unsealing
1. Retrieve photographs which were taken of the sealed object and print them out, one copy for each operator
2. Use the photographs and compare them to the sealed object, ensuring the arrangement of the filler in the sealed bag is the same on both sides of the object
3. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process.
## Glitter on Screws
Glitter can be used as an additional control to provide tamper evidence on specific parts of hardware such as laptop screws - in case an adversary attempts to open the laptop and introduce a malicious chip, antenna or otherwise. While glitter allows to detect physical tampering of the hardware, it does not provide tamper evidence of the firmware and software that runs on the computer, and as such is not sufficient for adequate tamper proofing of laptops on its own.
### Procedure
#### Requirements
* 2 or 3 different types of glitter, ideally with small and large pieces of glitter of different colors
#### Sealing
1. Clean the surface the glitter will be applied to
2. Apply a thin layer of the first type of glitter
3. Wait for it to dry
4. Repeat steps 2, 3 with the different types of glitter being used
5. Take a photograph of the laptop, preferably using the [tamper proofing station](TODO)
#### Verification
There is no "unsealing" procedure as the glitter used on screws, or in other similar contexts is meant as a more permanent control. As such the primary action that's performed is the verification of the integrity of the tamper proofing seal.
To verify that the seal has not been tampered, compare the glitter arrangement to a photograph which had been previously signed and stored. Both operators should have a copy of the picture and use it to verify the integrity of the seal.
## Pureboot / Heads
This tamper proofing method is designed to protect the secure boot process of a computer. It does not protect the computer from physical tampering which can be used to ad
### Procedure
Refer to the [PureBoot Setup](./enable-pure-boot-restricted-boot.md) document
## Tamper Proofing Station
The Tamper Proofing Station is a simple structure used to make it easy to take photographs which have consistent lightning, consistent angle, and consistent distance from the object being photograph. In this manner, photographs can be taken which ensure that any differences in the sealed object can be easily detected.
### Instructions
To construct an appropriate Tamper Proofing Station, the simplest setup consists of:
* Overhead camera mounting rig
* Powerful LED light which can be attached to the mounting rig
* Camera which does not have radio cards in it and
* Has >10MP
* Uses SD cards for storing photographs
* Polaroid camera which can be attached to the mounting rig
Pick a location for the station, and attach the LED light and the camera to the overhead camera mounting rig. Set up the camera so that when it's turned on, a 14" laptop is perfectly framed without having to zoom in or out if possible.
## References
* [Blog About Tamper Evident Protection Methods](http://web.archive.org/web/20241130002204/https://dys2p.com/en/2021-12-tamper-evident-protection.html)
* [BitBoxTep - tamper-evident packaging](http://web.archive.org/web/20240519013739/https://medium.com/shiftcrypto/an-introduction-to-bitboxtep-our-new-tamper-evident-packaging-8fa06d983c32)
* [Mullvad - glitter tamper proofing](http://web.archive.org/web/20240317004315/https://mullvad.net/en/blog/how-tamper-protect-laptop-nail-polish)
* [Purism anti-interidction](http://web.archive.org/web/20241121233006/https://puri.sm/posts/anti-interdiction-services/)
* [Purism Liberty phone anti-interdiction](http://web.archive.org/web/20240903104700/https://puri.sm/posts/anti-interdiction-on-the-librem-5-usa/)

View File

@ -40,6 +40,8 @@ which had radio networking cards (bluetooth, wifi etc.) removed
* Leveraging tamper evident controls for components related to the system
* Leveraging frequency blocking methods such as TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) and soundproofing
## General Threat Model Assumptions
Some additional assumptions are made to help contextualize the threat model:
@ -60,6 +62,336 @@ Some additional assumptions are made to help contextualize the threat model:
* Physical attacks are viable and likely
* Side-channel attacks are viable and likely
## Threat Model Levels
Different threat model levels allow an organization to start benefiting from the security properties of the QKM system immediately, with a clear path to upgrading over time as resources and time become available.
Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein.
### Level 1
#### Threat Model
* Adversary is a low skilled individual targeting many custodians. This implies the adversary is not highly focused on compromising a specific custodian, but often relying on more scattered/shotgun strategies.
* Adversary is capable of:
* Using phishing to steal data from a random set of custodian end users
* Injecting malware into the system of a random set of custodian end users
#### Requirements
* MUST require hardware anchored login for large withdrawals
* MUST require hardware anchored signature for large withdrawal requests
* MUST verify withdrawal requests
Refer to [threshold based policies](TODO) for defining "large withdrawals" and related policies.
#### Reference Design
* Ensure all users withdrawing large sums over a short period of time are using FIDO2 or PGP capable smart cards for logging in and authorizing transactions:
* Hardware based WebAuthN/Passkey/U2F
* Android 7.0+, iOS 14+, MacOS 10.15+, Win10 1809+, ChromeOS, Yubikey 5, Nitrokey, Ledger, Trezor
* Consider software-based WebAuthN/Passkey/U2F as backup
* Ensure backend systems will only approve large withdrawals if signed by known smart card.
* Ensure all transaction approval keys are stored in a tamper evident append only database.
* To achieve this storage systems such as AmazonQLDB, git, Datomic etc. can be used
* Ensure all key additions are authenticated with a quorum of existing keys
* Consider allowing quorum of support engineer keys to enroll a new key to handle lost keys
* Use hash of transaction signing request as challenge to be signed by smart-card
* Blockchain signature only issued after verification a given request is signed by authorized user smart-card(s)
## Level 2
### Threat Model
* Adversary is a skilled and resourceful individual targeting one custodian
* Adversary can:
* Compromise one team member with privileged access
* Inject code into any OSS library
* Exploit any vulnerability within 24h of public knowledge
### Requirements
* All production access:
* MUST NOT be possible by any single engineer
* Consider a bastion that can enforce m-of-n access over SSH or similar
* MUST be via dedicated tamper evident workstation
* Consider: https://github.com/hashbang/book/blob/master/content/docs/security/Production_Engineering.md
* MUST be anchored to keys in dedicated HSMs held by each administrator
* Consider GnuPG or PKSC#11 smart cards that support touch-approval for ssh
* Any code in the transaction signing trust supply chain:
* MUST build deterministically
* MUST have extensive and frequent review
* Example: The Linux kernel has well funded distributed review
* MUST be signed in version control systems by well known author keys
* Example: OpenPGP signed git commits
* MUST be signed by separate subject matter expert after security review
* If third party code: it MUST be hash-pinned at known reviewed versions
* MUST be at version with all known related security patches
* SHOULD be latest versions if security disclosures lag behind releases otherwise N-2
* Example: The Linux kernel
* MUST be built and signed by multiple parties with no management overlay
* Example: One build by IT, another by Infrastructure team managed CI/CD
* MUST be signed by well known keys signed by a common CA
* Example: PGP Smartcards signed under OpenPGP-CA.
* All private keys involved:
* MUST NOT ever come in contact with network accessible memory
* All execution environments MUST be able to attest what binary they run
* Examples:
* Custom Secure Boot verifies minimum signatures against CA
* Cloud enclave that can remotely attest it uses a multi-signed image
* AWS Nitro Enclave, Google Shielded VMs, etc.
* App phone stores already anchor to developer held signing keys
### Reference Design
* Extend reference design from Level 1
* Create offline CA key(s)
* Consider OpenGPG key generated on airgap using keyfork, backed up, and copies transmitted to a smartcards such as a Yubikey
* CA key smart cards are stored in dual-access tamper evident locations
#### User Key Management System
* Enclave is created which is immutable with no ingress internet access
* Enclave has random ephemeral key
* Remotely attested on boot-up against multi-signed and known deterministically built system image
* Possible on many PCR based measured boot solutions like Heads, AWS Nitro Enclaves, or GCP Shielded VMs
* Ephemeral enclave key is signed with offline CA key(s) on verification.
* Enclave has ability to validate append only database of keys
* Enclave will sign new key additions/removals with ephemeral key if:
* User has no prior keys
* Key was signed with an existing key
* Key was signed with 2+ known support engineer keys
#### Signing Key Generation
* M-of-N key holder quorum is selected
* SHOULD ideally be on different teams
* SHOULD ideally live in different geographical zones to mitigate natural disaster, and war risk
* SHOULD have their own OpenPGP smart card with pin and keys only they control
* Shard keys generated
* SHOULD be an additional OpenPGP smart card separate from holders personal key
* SHOULD have random pin, encrypted to a backup shard holder
* SHOULD be stored in a neutral location only the primary and backup shard holder can access
* Done in person on air-gapped laptop that has been in dual witnessed custody since procurement
* TODO link to tamper chain of custody doc
* Has hardware anchor that can make all parties confident the OS image it is running is expected (Heads, etc)
* Has two hardware sources of entropy
* There are devices that can provide an additional source of entropy such as:
* Quantis QRNG USB
* TrueRNG
* Runs known deterministic and immutable OS image compiled by multiple parties
* Key is generated and stored
* Split to m-of-n Shamir's Secret Sharing shards
* Each shard is encrypted to dedicated shard OpenPGP smart card
* Shard smart card pin is generated randomly
* Shard smart card pin is encrypted to personal smart cards of primary and backup holders
#### Signing System
* Uses an enclave which is immutable with no ingress internet access
* Has random ephemeral key
* Remotely attested on boot-up against multi-signed and known deterministically built system image
* Will accept Shamir's Secret Sharing shards encrypted to random ephemeral key
* Will restore signing key to memory when sufficient shards are submitted
* Will only sign transactions if accompanied by signed request by authorized user
* Is able to validate signing request via CA key authorized user key management enclave signature
* Will only sign transactions that meet predefined size and rate limits by company policy and insurance levels.
## Level 3
### Threat Model
* Adversary is an organized group with significant funding
* Adversary can:
* Compromise one data center engineer into tampering with a target system
* Use a sophisticated 0 day vulnerability to compromise any one internet connected system
### Requirements
* MUST sign all transactions of significant value by multiple keys in separate geographical locations
* Consider well vetted open source multi signature, MPC or on-chain threshold signing software
* Locations MUST be separated by hours of travel
* Locations MUST not have any staff overlap
* Signing locations SHOULD distrust other locations
* Each location SHOULD do their own reproducible build validation
* Each location SHOULD do their own verifications on all large transactions
## Level 4
### Threat Model
* Adversary is a state actor
* Adversary can:
* Tamper with the supply chain of any single hardware/firmware component
* Quickly and covertly relocate any device to a lab environment, complete attacks within a short time period, and return the device to its original location
* Use sophisticated side channel attacks for exfiltrating data, cryptographic material being a high risk target
* Acoustic (DiskFiltration, Fansmitter, Acoustic Cryptanalysis, sonic cavity resonators, etc.)
* Optical (VisiSploit, xLED, eavesdropping via vibration analysis etc.)
* Thermal (BitWhisper)
* Electrical (Simple Power Analysis (SPA), Differential Power Analysis)
* Magnetic (ODINI)
* Electromagnetic (USBee)
* Radio (NFCDrip, Vapor Trail, RFID, FM, Wifi, Bluetooth, GSM, SATA cable eavesdropping etc)
* Steganography
* Use other sophisticated attack types such as:
* Non-deterministic encryption/signatures/data
* Differential Fault Analysis (DFA)
* Data remanence
* Exfiltrating data via induction of power lines, water pipes, telephone lines, coaxial cable used for televisions and internet etc.
### Requirements
* All signing systems:
* MUST have dual implementations of all policy enforcement and signing logic
* MUST use two or more unrelated hardware supply chains
* Example: Rust on RISC-V Linux on an FPGA vs C on PPC Gemalto enclave
* MUST return deterministic results
* Results are only exported for chain broadcast if identical
* MUST be stored in near zero emissions vaults a single user can't open
* See: NSA TEMPEST
* MUST ensure that individuals are scanned for devices before entering the vault
* MUST only communicate with outside world via fiber optic serial terminal
- [ ] TODO do we even want this in the facility?
* MUST be housed in Class III bank vault or better
* MUST have constant environment deviation monitoring
* Thermal, Acoustic, Air quality, Optical
* MUST destroy key material on significant environment deviations
* TODO: methods for doing this
* MUST be accessible physically with cooperative physical access
* MAY use FF-L-2740B or better locks with dual pin enforcement
* MAY use dual biometric enforcement to get near area and disarm security
## Additional Threat Model Notes

View File

@ -0,0 +1,29 @@
# Verifying Signatures
When building and downloading software it is essential to verify signatures to ensure its integrity.
Verification of software depends on two primary aspects:
* Ensuring that the hash of a binary matches some point of reference, for example the same binary previously built by a trusted team member, or a hash hosted alongside the software in the download location.
* Ensuring that signatures alongside hashes are from trusted asymmetric keys (e.g PGP keys)
In order to achieve this, one must establish that specific keys are "well known" and can be trusted - that is, that they belong to a given individual. To achieve this, the best method is to exchange keys in person, but a combination of the following methods gives even higher confidence thresholds:
* Verifying the key in person
* Finding a reference to a public key on the individual's personal website
* Finding a reference to a public key on the individual's social media platforms
* Finding a keyoxide profile for a given public key
* Finding a reference to a public key on a company website
* Looking up popular key servers to see if a given individual is associated with it
Each point of reference allows us to build confidence that the key is indeed owned by an individual.
One other consideration is how the key is protected. If possible, find out how the individual manages their key. If the key is stored on a local machine, the trust level for that key should be low. If the individual always manages their keys in airgapped environments, and on HSMs, then a higher level of trust can be ascribed - although ultimately in most cases it's impossible to verify that the individual followed a given policy around key management.
One favorable method for ensuring that a key never got exposed is using built in cryptographic attestation that a key never left a TPM, such as the one offered by YubiKey. While this type of key setup has the downside of not being able to back it up, one could use a master key to sign such a key, authorizing it for use, while giving the flexibility to rotate if the hardware token is damaged or lost.