Let’s say we have a big company with lots of servers, providing services to lots and lots of customers. Where should they store their owns passwords? A centralized system like LDAP and enforcement of 2-factor authentication is appropriate but what about the encryption keys for financial data? What about administrative overrides for network equipment? If the network is down, how can you let people log in to a router to fix it if the router can’t check the user logging in against the LDAP server? We need break glass accounts and the like.
So there will need to be some repository of sensitive data that is rarely needed. I think we can print it on paper! It has very predictable deterioration properties, unlike electronic devices that can go from 100% functional to 100% completely fried in a nanosecond due to an unfortunate cosmic ray hitting just the wrong atom*. It’s also highly resistant to hackers. The Israeli intelligence service is said to keep their most sensitive data on paper only.
But do we really want to keep these super-admin overrides on a bunch of paper where someone can just flip through them and take pictures of them with their smart phone? No, that would be bad. I have a proposal:
I’d recommend generating these kinds of passwords for sets of devices. You buy ten new switches? Generate admin passwords for those ten and print them out on paper. Two papers. The first half of each password goes on one page. The other half on another. The people doing the work can check that the two pages contain the complete passwords so we know they will work when needed. It’s kind of hard for people to remember ten 20-character random passwords that they’ve seen once, so it’s not a big security issue that the passwords are checked. We want to balance security with reliable access in an emergency.
Now things start to get a bit administrative. I suggest each paper is placed in a sealed envelope with a tamper evident label. I bought some from Amazon just to try it out:
Before I “opened” it the blue color was uninterrupted. Afterwards the white text appeared(I think it’s supposed to say “Void, opened”) and I’d struggle to get the things back to it’s original condition. Note the serial number. I wouldn’t trust the manufacturer to never reuse serial numbers. But it’s not in their interest to offer these labels to people with whatever serial numbers the customer asks for, so it’s not trivial to get your hands on duplicates. You’d probably have to buy an excessive number of labels to have a chance of getting duplicates.
Illustrations with a single password for simplicity:
Now we have our password-halves in sealed envelopes and we can lock them away. Preferably in two locations where no one person has access to both. And the password could only be used with more than one participant involved. The use case would be something like this:
Bob: Uhm, boss?
Boss: Yeah, what's up?
Bob: Uhm, we need to access the snapshots and binlogs for the database server that handles financial transactions.
Boss: What happened?
Bob: A bad patch was rolled out that deleted a bunch of stuff. We need to restore the data from snapshots and a binlog replay.
Boss: Okey, do it!
Bob: We need your help.
Boss: How? I don't even know what a binlog is. I've heard you talking about it but that's it.
Bob: Well, it turns out the normal decoding stuff isn't working. You know, with the hardware tokens?
Boss: Sounds vaguely familiar. Oh, now I get it! We need the override password from the safe?
Bob: Well, two safes. One half is in one safe, the other half is in another safe. Here's a write-up of what we want and why.
Boss(reads paper): Okey, but we need one more person here.
Bob: Oh, right! Jim, get in here!
Jim: What?
Bob: We need you to sign the paper. It has to be two people asking for the override before we can go ahead.
Jim: All right, what do I need to do?
Bob: Do we need the override password for the snapshots and binlogs of the financial transaction server?
Jim(looking confused why the question is being asked): Yes...
Bob: Then sign on the dotted line here.
Jim signs.
Boss: Good, then I'll sign it and we can get cracking.
Department A:
Bob: Hi! We need the ledger over secure envelopes in department B.
Boss(whispering to Bob): Why doesn't the ledger at department A cover their own envelopes?
Bob: Because then they could fiddle with both the ledger and the envelopes and we would none the wiser. If department B wants to open an envelope and edit the ledger to hide that transgression, they need help from department A.
Boss(thinking): Okey, makes sense. Also, you could just call it "rule breaking" rather than "transgression". It would be easier.
Bob shrugs.
Bob(grabbing ledger): Thanks!
Department B:
Bob: Hi! We need a sealed envelope... (looking in ledger). Number 1203.
Harry: Okey. Hi boss!
Boss: Hi.
Harry: You have the paperwork?
Bob: Yeah, here it is.
Harry: Good. I'll just get and fetch the envelope.
Bob: Oh, we need the ledger for envelopes for department A.
Harry(looking at the paperwork again): Sure, I'll get that too.
Harry comes back with the two items.
Harry: May I have the ledger?
Harry(talking to himself, comparing records): 488901 from 2023-04-22. Yeah, that's good. I'll just cross it out in the ledger. There!
Bob: Can I see it now? I'll need to write down password 7.
Harry: Here you go.
Bob: Thanks, got it. Will you seal it back up?
Harry: Yes, I'll get a new label and envelope.
Harry seals the envelope with a new label.
Harry: Label number 489102 and today is 2023-07-03. I'll sign the label and add a new ledger entry.
Bob and his boss look on as things are prepared.
Harry: Done.
Bob: Good, we'll be back shortly with the ledger.
Department A is the same thing. Talk to someone who can fetch the paper, check that no one has accessed the envelope since the last authorized access, etc. The team then returns the ledgers they got from the two departments.
Bob, Jim and their boss all go to a workstation and log in using the secret password. Bob fixes the problem and logs back out again. They all go to a paper-shredder and destroy the copy of the password. The signed document authorising access to the envelopes is marked as "VOID" using a stamp. Job's done!
To be really secure the system that the password grants access to should have a new password set. Several people have seen the current password after all. But this would require printing out a new pair of papers, getting rid of the old ones and so on. For a bank this might be worth the effort and then there should probably be just one password(half) per envelope. For a tech company the simplification shown above is perhaps more appropriate.
I originally conceived of this system when I was thinking about how it could come to pass that a single systems administrator at the NSA could leak thousands of documents. No one person should have that kind of access to sensitive data.
If circumventing access control at the NSA had required a password split up between two safes, using tamper-evident serialized labels recorded in a ledger held by someone else than the custodian of the envelope, I think the leak would have been much less likely. Now, this system is slow and cumbersome. It would never fly for anything approaching standard password management. But for “the keys to the kingdom” at a service provider or a government agency? It might be worth the hassle.
The inspiration is the American two man-rule for handling nuclear weapons which states that such a weapon can’t be left with any one person. Locking it away in a vault? That’s okey. Having two people wheel one out to a waiting bomber? That’s, okey. Letting Bob watch the nuke while Jim goes in to fetch his mittens? No, it’s the two man-rule. I would be remiss for not recommending the Always/Never series about the development of various technologies developed to make handling nuclear weapons more secure.
The tamper-evident label-thing is inspired by how codes on nuclear submarines are stored and handled. Or how they are allegedly stored and handled, it’s not like the US navy is doing show-and-tell of exactly how a nuclear weapons launch would work. One thing that I’m thinking about is if envelopes can be resealed if you cut them open at the sides. I watched a video about research done by a US lab working with nuclear materials on tamper evident packaging and I don’t think they’d be impressed with “this envelope doesn’t look like it was cut open and then resealed using wet paper, heat and some pressure. See for instance this document published by the IAEA about testing various storage devices tested by Sandia: https://inis.iaea.org/collection/NCLCollectionStore/_Public/27/020/27020417.pdf
Sandia was also heavily involved in nuclear weapons security improvements as shown in the documentary series mentioned earlier. It’s a subject of some importance as can be seen in this short video which also covers civilian use of nuclear fuel and how to avoid diversion of nuclear materials.
Anyway, metal foil seems like a reasonable alternative to paper envelopes. It appears quite difficult to reseal without it being evident. By the way, tamper evident is preferred over tamper resistant because the latter isn’t feasible. It’s better to say “yes, with enough time any barrier can be overcome but we’ve made sure that it’s obvious that someone has opened the item”.