Ceremony - how to set up a secure Revault infrastructure

[kloaec]

WORK-IN-PROGRESS - DO NOT USE (yet)

THERE IS NOT SUCH THING AS PERFECT SECURITY.
thIs iS NoT SEcuRitY ADviCe

Table of content:

1. Rationale
2. Revault
   2.1. Vocabulary
   2.2. The Revault deployment
   2.3. Secrets
3. Key generation and verification
   3.1. Shopping list
   3.2. Pre-ceremony work
   3.3. The Ceremony
   3.4. Sharing the secrets and pub keys
   3.5. Testing
4. Post-ceremony

Rationale

Revault is about going further than simple key management security. The protocol adds logic and rights management for delegating, spending and securing funds.
That said, key management is still important in Revault.
Revault states that everybody-but-one-participant can be corrupt, the system still works. Still, we want to help clients/users to set up the protocol correctly, with best security practice. We try to keep a trail for forensic should a critical failure happen, helping the client understand what went wrong.
The Ceremony, as the rest of the Revault architecture, is designed to defend against very motivated and capable attackers.

Revault

Vocabulary

• stakeholder: participant necessary to make funds "spendable" but not needed during day-to-day spending
• manager: participant making day-to-day transactions. May or may not also be a Stakeholder.
• participant: either a stakeholder or a manager (or a stakeholder-manager).
• emergency wallet: a wallet external to the Revault deployment, used as a deterrent against some physical threats.
• watchtower: automated server enforcing the policy of a stakeholder.
• hardware wallet: offline and secure signing device, with a firmware compatible with the Revault protocol.

The Revault deployment

• (at least) 1 watchtower per stakeholder
• 1 revaultd+GUI client per participant (stakeholders+managers) / running either on their day to day computer or a dedicated machine
• 1 hardware wallet per participant (stakeholders+managers)
• 1 cosigning server per stakeholder
• 1 coordinator server per deployment
  extra watchtowers may (should) be deployed and/or contracted to third parties.

Secrets

• 1 seed per hardware wallet (= per participant)
• ? private keys (typically 1 per stakeholder, can have more/different/external participants) for the Emergency address
• 1 extra seed per manager (fee-bumping wallet)
• 1 seed per watchtower (>= per stakeholder)
• 1 static bitcoin private key per cosigning server (=per stakeholder)
• 1 authentication key per participant
• 1 authentication key per watchtower
• 1 authentication key per cosigning server
• 1 authentication key for the coordinator server
• the Emergency Witness Script (shared by the stakeholders)

Key generation and verification

shopping list

• each participant to procure 1 hardware wallet, directly from manufacturer, if possible not in their own name/address, if possible in person, cash. Participants should not all procure their hardware wallet from the same manufacturer. other signing devices such as offline computers may be used but are not recommended for usability (in a secure manner)
• each stakeholder to procure 2 brand new laptops (or other general purpose computing device) of different brands, from 2 different shops, if possible in person, in cash, and not at the store closest to their place of residence or work. Any laptop should work AS LONG AS it has an SD or MicroSD card reader. Preferably no Apple computer.
• each participant to procure (number of participants + 4) MicroSD cards (speed and capacity do not matter) + 1 MicroSD-to-SD adapter
• each participant to procure 1 faster MicroSD card, class U3 and or V30 (or faster). Capacity does not matter.
• each participant to procure a "Revault Kit" or its content separately:
  • printed instructions (this can be tampered with - compare&verify with digital doc!)
  • at least 5 unmarked 6-sided dice (or casino grade dice, or equivalent). More dice=better in case they are not proven balanced.
  • a backup medium. The Revault kit includes both
    • Metal backups (at least 2 for the main secret + 2 for emergency key. The more the better.) + numbered stamps (durability and readability)
    • Paper backups for seed words (recovery convenience), archival grade and preferably water resistant
    • a transparent pen with archival grade ink
  • 10+ unique tamper-evident envelopes per participant (or better tamper-evident seals)
  • "privacy booths", such as cardboard screen to prevent other participants to watch what is being rolled/written
  • screwdrivers (for opening the laptops)
  • thick tape to mask cameras
  • a minimalist room with a basic table and basic chairs, where you can make sure there is no camera nor microphone. Thick curtains or no windows.

Pre-ceremony work for all participants (may be assisted by Revault team)

• unseal the faster MicroSD card
• download a Linux operating system with live environment
• verify the signatures/hashes of the downloaded ISO
• "burn" the ISO to MicroSD
• unseal one of the MicroSD card
• download the Revault Installer
• verify the signatures/hashes
• copy the Revault Installer to the MicroSD
• check both SD cards again on a trusted laptop (the Revault team can assist)
• label the SD cards:
  • Revaultd+GUI
  • Watchtower
  • Cosigning Server
  • Coordinator Server (only 1 needed per company, who verifies? Is it critical?)
  • CEREMONY stick
• copy each software to their respective SD card
• put the SD cards in read-only mode (from the physical LOCK tab) if available. (or do we make full size mandatory?)
• install the Revaultd+GUI on their existing work computer (if not using a dedicated laptop for Revault)
  • ⚠️ if full archive node, need to have a ton of free space >>500GB for long-term usage
  • user will face the Ceremony screen, nothing to do at this stage. Sync in background until done.

The Ceremony 🍾

• participants get naked and check cavities of each other participants for microphones or other devices (alright, optional i guess)
• participants leave their phones at home, or at least outside of The Ceremony Room ™️
• Unseal the laptop boxes
  • DO NOT BOOT.
  • use the screwdriver to open the laptops
  • remove the wifi card if possible, if not at least disconnect the antennas.
• Boot (pre-installed OS or sd card?)
• check signatures of all sd cards again? Are we not creating a security risk here? Need to discuss this more.
• Use CEREMONY sd card. Verify this one for sure.
• Open the README text file, follow instructions
• Open the Revault Kit, or equivalent. Follow instructions, compare with README during each step

Private Keys

• (if required, label the dice)
• open the EFF Diceware list from the SD card, on both latops
• roll 100 dice (20 rolls of 5 dice or equivalent), while stamping/writing on the backups.
• on the EFF Diceware list, for each 5 dice scroll to find the corresponding word. (Scroll, do not type anything).
  • copy the word, paste it on the key generation software (need name and format for this.). Do this on both laptops.
  • write down the word on a backup paper sheet
  • once all words have been written down, and copy-pasted, do one last check they match.
• click "generate" on the software on both computers
  • check that the results are identical on both computers
  • write down the resulting mnemonics (optional, recommended) on paper

Sharing the secrets and public keys

2 options here: either type them on virtual keyboards or use SD cards. Different UX and security. (THIS NEEDS TO BE STUDIED IN DEPTH. SD and .txt security is important to check here)
The "typing on virtual keyboards" is self explanatory, follow each device instructions.
The SD option is as follow:

• for each step, write the data on the corresponding SD card, then lock it, then verify it on the second laptop, then if it matches use it on the right device.
• Public Stakeholder SD
  • Wallet xPub, Cosigner address, Emergency address, Noise pubkeys (which?), name/identifier
• Secret Hardware Wallet SD
  • Wallet private key/mnemonic
• Secret Watchtower SD
  • Wallet private key/mnemonic
  • Noise Private
• Secret Cosigner SD
  • Wallet private key/mnemonic
  • Noise Private
• Secret Manager SD
  • Wallet private key/mnemonic
  • Fee wallet private key/mnemonic
  • Noise Private
• Secret Revaultd SD
  • Noise Private

[darosior]

Should the room be naked and checked its cavities as well ?

[kloaec]

Still a lot to do, and decide.
Questions to discuss on Monday:

• SD/.txt file or typing (virtually) everything?
• Emergency gen, probably same set up but AFTER all other secrets have been shared so no leaks. OK or more laptops to do it completely offline again?
• printing word list/instructions or on-screen enough? I actually thing onscreen is more trustable as duplicated and signed.
• dice or no dice?
• moar