History crypto protection

[Slesarew]

Design some way to protect history from tampering if adversary has access to phone memory. Blockchain? What would be the key? How to verify it?

[kirushik]

Some (poorly thought through) ideas: we already have keys we consider "secure enough" in our keyring of Signer. We can make our log verified via a hash-chain (like in git: id of state X := hash(contents at X, id of state X-1)), and sign the hash every time we sign anything else. This would reduce potential log tampering to the time since the last signing, while not introducing any significant new trust requirements.

Open questions:

• Is it OK to have history since last signing not tamper-proof?
• How do we verify that the current list of "public keys trusted to sign our logs" matches to the encrypted private keys under Signer's control, and there hasn't been any new unauthorized ones added?
  • Should there be some third-party driven verification flow for this log?
  • Maybe there's some hardware-backed way of signing things like this in mobile platforms? Ideally this would be a "no confirmation sign-only key backed by an onboard HSM, plus a trusted monotonic counter in those signatures to make a re-signing attempts detectable" sort of system, like what Yubikeys have.

[Slesarew]

The history page now shows checksum of history db tree. User can memorize the u32 shown and check for it next time Signer is launched; history is automatically salted with full length system timestamps that are difficult to tamper; the same timestamps could be used to match checksum so things with direct memory access can break through. This feature is not easy to use and will not be used by most users, but it's better than nothing.

[krodak]

No user request or planned featured on roadmap with relation to this, closing for now.