Open cryptomancer-actual opened 7 years ago
what's the role of the root shardnet here ? Do you have cryptoadmin on each sub-shardnet ?
Good questions.
I need to add where the Cryptovault (datacenter) will be. Basically, where the golem is, that's also where the cryptoadmin is. Generally, people on the leaf shardnets won't have direct access to the cryptoadmin and vice versa. To facilitate that, someone on the branch shardnet (perhaps a local admin or a manager) would have to bridge the left and branch shardnets.
One of the design goals is to enable every member of this organization, no matter where they are, to access the Shardscape if they need to, while also achieving compartmentalization.
The root shardnet are the senior leadership and/or senior security staff. Structurally, they work like a leaf shardnet, but they have access to the cryptovault and know the golem's true name.
From a defense point of view, it will be good to add some kind of a fail safe on the leaf shardnets, so it is compromized (the shardnet leaf itself, or the admin) it cannot contaminate the full network. Maybe the bridges between shardnet leafs and the backbone that could be "cut" ?
Cut, or "pruned" lol
Either way, exactly right, and that's sort of what I'm hoping to build into this design. Leaf shardnets are compartmentalized, meaning they can't talk to other leaf shardnets. Generally speaking, if a leaf network gets compromised, it can be cut off from the rest of the network. The manager or local admin who possesses both a leaf shardnet and a branch shardnet will be instructed to smash/lose her leaf shard it it is compromised. If she is about to be captured, she is tasked with destroying her branch shard, to save the rest of the network. Now, if she is an insider threat, or was captured before she could destroy her branch shard, now the cryptoadmin, golem, and even root shardnets are at risk.
It's a pretty insecure system, but that's why it's fun!
Yes it is :) you have to know the true name of a golem to send a message to it, right ? (trying to come up with new defenses)
Yes.
What I'm thinking is, no one in a leaf shardnet (except the manager, who has also has a branch shard) knows the Golem's true name. If a worker/operative in the field needs to access the Shardnet (either to perform a query or leave a message), she must tell her manager. The manager then uses the Golem's true name to make that query/echo on the worker's behalf (over the bridge shardnet).
It could be useful to represent this setting somewhere in the map.
The branch shardnet is still worrying me, seems easy to collateralize an attack on this part. the leafs seems more easy to secure
Text so far....
Figure I provides a high level overview of an example enterprise shardnet architecture so that the reader can quickly orient themselves to this idea. We will be walking the reader through this example by starting from the perspective of an individual unprivileged users before making our way all the way to this shardnet’s most privileged user.
User Groups
Fundamental to enterprise shardnet architecture is the idea of user groups. The proposed design features three different user groups ([root, branch, leaf]) in descending order of privilege. Participants who are part of the root user group are privileged users who are able to access the shardnet’s most sensitive data (e.g. the golem’s registry), make substantive changes to the shardnet (i.e. reset or reconfigure the golem), or issue orders to all other users on the enterprise shardnet.
Participants who are part of the branch user group are semi-privileged users who can use can directly access the Shardscape safely via the golem as well as participate in the small compartmentalized shardnets that compose the leaf user groups.
Participants in the leaf user group are non-privileged users who are part of a small private shardnet that is only able to connect to other parts of the enterprise, including the golem mediating Shardscape access, when a member of the branch user group determines it is necessary.
Compartmentalization
Consider the member of the branch shardnet at the far right of the image, the large gray circle surrounded by star shaped leaf shardnets. We will consider her a lieutenant in the larger organization. She possesses a shard from the branch shardnet, meaning she is able to communicate directly with other lieutenants as well as communicate directly with the enterprise golem. She also possesses three other shards, one from three different leaf shardnets. These discrete subgroups are composed of workers, soldiers, or mooks who take their orders from the lieutenant. It is very possible (and likely) that these groups don’t even know of eachother’s existence.
Leaf shardnets are disposable. If one of the leaf shards are compromised by an attacker, there is no further harm done to the larger organization. In fact, the lieutenant could sever all ties to a compromised leaf network and even do so instantly by disposing of or shattering the leaf shard associated with that shardnet. However, if the lieutenant loses her branch shard, there is considerable risk to the larger organization. An adversary now has the ability to eavesdrop on communications in the branch shardnet, masquerade as her, or disrupt the network in other ways (e.g. cast Denier, drop Shard Spikes, geolocate the other lieutenants, or bridge the branch shardnet with the Shardscape in order to flood it and bring normal communications to a halt).
The root shardnet, meanwhile, is always segregated from the rest of the organization via the golem. To attack root from a compromised branch shard, the attack must discover the golem’s true name or determine what keyphrases it has been instructed to listen for.
Leaf Shardnets
I am an individual worker in a large organization. Perhaps I am an accountant sitting inside the one of the offices of a large, global bank that has locations in every major city-state, clanhall, and lacuna tree. Perhaps I am a field agent for a secret resistance organization spread across the region or perhaps a mercenary in a guild that does the dirty work for different rulers throughout the lands. Either way, I am part of something very big and very organized, but I don't have access to all of it, because I am just a worker.
The organization gave me a shard. They call it a "leaf shard," because just like a leaf on tree, when a leaf is cut or falls off of a tree, no harm is done to the tree. My leaf shard is part of a small shardnet, composed of maybe four to six other leaf shards. My immediate comrades and coworkers are holding on to the other shards, as is my local boss, the one who gives me assignments. We use our leaf shardnet to talk to each other and coordinate our actions during an assignment. We try to use cryptomancy to encrypt our communication in case one of our leaf shards falls into the wrong hands, but sometimes we forget. The boss yells at us for this and we try harder next time.
When I am out in the field doing my duties, and I need to access the Shardscape, I don't actually have to go find a public Shardscape shard in the city. I can simply use our leaf shardnet to tell my boss what information I need to find or what message I want to send someone on the Shardscape. This means I have to tell her everything, including the keyphrases I use if I want her to send an encrypted message. That's OK, though, I mostly trust her. And if I was keeping a secret from my organization, I certainly wouldn't use their shards to talk about it.
Most of the time, the boss tells me what to do. But sometimes, she gets orders from her boss. Us workers never get to see those conversations though, because they happen on the "branch" shardnet.
Branch Shardnets
I am a local administrator or manager in a large organization. Perhaps I am the regional manager of a soma distribution company in elven controlled lands. Perhaps I am the spymaster handling and secretly communicating with agents I have placed behind enemy lines. Either way, I manage and orchestrate the activities of many workers. I have one shard from multiple separate shardnets. I use this one to communicate with the team I have in the forest, this one for the team in the dwarven depths, and this one for the team squatting in the city. I can communicate with any of these teams, but each team doesn't even know the others exist. Our organization does that so if one team gets captured or compromised, they can't betray the other teams.
I check these leaf shards constantly to stay up to date on what my teams are doing. However, I spend a lot of time using my branch shard. Other managers like me, managing their own teams, have a branch shard, too. We talk to one another frequently on this shardnet and sometimes collaborate. If a manager needs help, for example, I might instruct one of my teams to travel to that manager's region and provide assistance. None of our workers have access to this shardnet, so we can discuss our plans freely. However, we still use cryptomancy to protect our messages, because what we talk about is very, very sensitive.
Aside from the other managers, there are two very important beings who also possess a branch shard: our cryptoadmin and our golem. They are both in our organization's secret and heavily fortified cryptovault. I sometimes talk with the cryptoadmin about security matters, but most of the time, I am talking to the golem. Sort of. When I want to access the Shardscape, I encrypt my request using the golem's true name. Only the cryptoadmin and the other managers know the golem's true name, for security purposes. The golem decrypts the request I encrypted, and then performs my request. Sometimes I tell it to perform queries to find information that one of my workers asked for. Sometimes I tell it to send an encrypted message and then start listening for a certain keyphrase that my recipient will use to reply back to me. Because I am encrypting my requests to the golem with it's true name, none of the other managers can see these communications. However, the golem logs everything in the registry, so I know the cryptoadmin can review what I'm up to.
Root Shardnet
I am our organization's cryptoadmin. My job is mission critical. I keep the golem in working order and manage our overall shardnet infrastructure. You could say our entire mission rests in my hands. I have been extensively vetted, but the big bosses have taken measures to ensure I don't get any ideas about betraying the organization. Every once in a while, they send an inquisitor to have a chat with me. Sometimes, he'll cast the "Mind Read" spell on me to make sure I tell them the truth. It's all part of being trusted with this responsibility, I guess. They also have leverage on me. They know my true name, and the true names of my family members. They can and will find me if something goes wrong. However, it won't come to that, because they take good care of me. And the last thing I want to wake up to is a Risk Eater at my door.
I spend almost every waking hour in our cryptovault. This place is a veritable fortress. There is a whole garrison of guards outside the vault doors to protect me and also protect the windmills that are providing power to the golem. Inside the vault, there are shards everywhere. Most of them are in the golem's hands, though, literally. I use my branch shard to communicate to the other members of branch; the managers and local administrators running the teams out in the field. I use my cryptomantic and magical know-how to support them for when they need it. For example, if a manager wants to know exactly where one of her agents are, I'll ask her to temporarily bridge her branch shard with the leaf shardnet that has the missing agent. I'll then cast "Tracer," a spell that builds a mental map of the physical location of every shard I'm connected to. So yes, I'll be able to tell you where every branch shard is, but now I can also you where all four or five leaf shards are in that shardnet the manager has bridged. Don't get me wrong, I don't like to do this. When that bridge is made, it creates an opportunity for someone on that leaf shardnet to eavesdrop on the branch network or even access the golem. That's why I usually tell branch to maintain silence while I do this, and tell the manager to sever the bridge the moment I am done casting the spell.
I have access to a special shardnet that not even the managers nor the golem have access to, and we call it the "root shardnet." The root shardnet is used by me and the organization's big bosses. They really don't use it much, but when they want to talk to me directly, they'll encrypt their messages with my true name so only I can see it. The message will contain a keyphrase I should use to respond back. They usually ask for a status report on what's going on in the organization, or ask me to look up something in the registry. These folks are paranoid, and often want to see what kind of queries the managers are making in the Shardscape. Sometimes they want to talk directly to a manager, so they'll ask me to create a temporary bridge between root and branch. They'll usually encrypt with that manager's true name, so I can't really see what is being talked about. That's probably for the best.
There was one time when the big bosses asked me to reset the golem's true name, and then only share the golem's true name with four of the six managers. I told them that those two managers and their teams won't be able to access the Shardscape if I do that, and they told me not to worry about it. Then they asked me to bridge root with branch and started contacting the four managers they trusted, presumably using their true names for encryption. The remaining two managers kept asking what was going on, but I didn't reply, because I didn't know and figured the brass were up to something. Then a few hours later, those managers went silent, completely. No more echoes, nothing. I figured out what happened a few days later, when an agent dropped of two branch shards in a blood-soaked bag and tore a few pages out of the registry.
Might the cryptomancer at the senior end of a root- leaf link want to work in a magic circle, to firewall the root network (or senior network at loser levels) - in fact, might it be a good idea generally?
Sorry, that should be lower levels, not loser. Mind you, depending on the context...
Hrmmm... you are right on the money. There is risk to everyone in this architecture and they need defenses and countermeasures. (A technicality, BTW, I think generally, you'll never have root be bridged with leaf, unless it's an accident.... though your point still applies to root talking with branch).
The way bridging works is one person holds a shard from shardnet A in one hand, and a shard from shardnet B in the other hand. Now all communication travels through that person. In the case of root communicating directly with others, the cryptoadmin in the cryptovault (data center) is the only one who creates that bridge, because he is the only person who has a shard from the root and branch networks (but not leaf). The cryptovault is about as highly secure as you get. Granted, there are still many secure issues that could arise, discussed in Cryptomancer. For example, an attacker on your network can eavesdrop, geolocate you, spy through shards like they were CCTV cameras, or even warp through shards and appear right next to you. That's scary. In Code & Dagger Volume I, there is a whole section on "cryptovault hardening" that covers defenses against that... basically, some fun physical controls very similar to what I think you are talking about with a "magic circle."
Thank you - just got the pdfs, so I'll get reading.
@BrotherPhil There is a 45 minute presentation in Issue #18 that covers a ton of the IT/crypto/hacking stuff if you're interested in a speed run... otherwise, enjoy the PDF!
Today, I am hoping to finish a submission for the sprint that explores what a big enterprise/corporate network would look like in Cryptomancer, including how attackers would attack it and how defenders would defend it.
Here's a sneak peak... I'll be posting the written context later today..