docs: add security section

This commit is contained in:
Ryan Heywood 2024-01-25 01:18:05 -05:00
parent 304b1f9baa
commit 4c0521473f
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
2 changed files with 82 additions and 0 deletions

View File

@ -4,6 +4,7 @@
# User Guide
- [Installing Keyfork](./INSTALL.md)
- [Security Considerations](./security.md)
- [Shard Commands](./shard.md)
- [Common Usage](./usage.md)
- [Configuration File](./config-file.md)

81
docs/src/security.md Normal file
View File

@ -0,0 +1,81 @@
# Security Considerations
Keyfork handles data that is considered sensitive. As such, there are a few
base considerations we'd like to make about the environment Keyfork is run in.
This ensures that the amount of mitigations needed to run Keyfork are reduced.
## Build Process
Keyfork should be built using a secure toolchain, such as through Guix or the
Distrust Packages system. Using something such as `rustup` means Rust can't
properly be verified from source. Ideally, Keyfork should be built by multiple
developers and verified between them to ensure the results are deterministic.
## Hardware
Keyfork is expected to run on hardware detached from the Internet and from any
other computers. This helps ensure the Keyfork seed is never exposed to any
online system. Exposing the Keyfork seed may result in a compromise of data
derived from Keyfork. The hardware is expected to be stored in a safe location
along with the removable storage containing the operating system and (if using
Keyfork Shard) the shard file, where adversaries are not able to tamper with
the hardware, OS, or shard file.
## Software
Keyfork is intended to be one of few programs running on a given system. The
ideal system to run Keyfork under is an OS whose only dependencies are Keyfork
and Keyfork's runtime dependencies. Because of these restrictions, Keyfork does
not necessarily need to include memory-locking or memory-hardening
functionality, although such functionality may be included upon further
releases.
## Keys in Memory
As Keyfork is expected to be the only program running on a given system, it is
not expected for Keyfork to defend against malicious software on a system
scanning the memory of Keyfork and extracting the keys. As such, at this time,
Keyfork does not zero out previously-used memory. Additionally, if such
software did exist, because Keyfork is intended to run on hardware detached
from the Internet and from any other computers, the risk of practical covert
channels is reduced. Tempest and side channel attacks may be mitigated by
running Keyfork on hardware located in a Faraday cage.
## Security of Local Shards
The threat model of Keyfork in a "local shard" configuration is that an
adversary can, without leaking the seed:
* Compromise `M-1` shard holders or shards
The threat model of Keyfork in a "local shard" configuration does not include:
* Compromise of the system running Keyfork
Keyfork does not provide a mechanism by itself to ensure the operating system
or the Keyfork binary has not been tampered with. Users of Keyfork on a shared
system should verify the system has not been tampered with before starting
Keyfork.
## Security of Remote Shards
The threat model of Keyfork in a "remote shard" configuration is that an
adversary can, without leaking the seed:
* Compromise `M-1` shard holders, shard holder devices, or shards
* Eavesdrop upon (but not intercept or tamper with) secure communications
The threat model of Keyfork in a "remote shard" configuration does not include:
* The compromise of the system initiating the "remote shard" requests.
Keyfork has a "remote shard" mode, where shards may be transport-encrypted to
an ephemeral key and combined on a system run by a user we will call the
"administrator". In this design, it is expected that a secure communications
channel is established that can be spied upon but can't be tampered with. The
administrator can then begin distributing encoded (not encrypted!) public keys
to remote shardholders, who then decrypt and re-encrypt the shards to an ECDH
AES-256-GCM key. Because the shard is re-encrypted, it can't be intercepted by
anyone intercepting the communication. However, it is possible for the
administrator to leak either the Keyfork seed or any number of shards if they
are the only user operating the system combining the shares.