Tamper detection docs changes #490
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #490 +/- ##
=======================================
Coverage 94.91% 94.91%
=======================================
Files 74 74
Lines 7952 7952
=======================================
Hits 7548 7548
Misses 404 404 ☔ View full report in Codecov by Sentry. |
|
|
||
| ## Conclusion | ||
|
|
||
| The *TC Flash Hash* tool significantly enhances security by making it infeasible for attackers to tamper with the firmware without detection. By combining *TC Code* hashing, filling empty memory with random entropy, and verifying flash integrity through unique images and words, Krux significantly enhances the detection of any tamper attempts. | ||
| The *TC Flash Hash* tool significantly enhances security by making it impossible for attackers to tamper with firmware without being detected. By combining *TC Code* hashing, filling empty memory with random entropy, and verification of the the unique image and set of words, Krux allows the detection of any tamper attempts. |
There was a problem hiding this comment.
Not sure that "impossible" is an improvement over "infeasible".
There was a problem hiding this comment.
Hi Jean, thx for reading the changes 😄. Infeasible is the opposite of feasible, if it is not feasible, following all the procedures listed on the tamper detection feature, I think it is more assertive and easy to understand to call it impossible. Like it is impossible to stole the funds from any BTC address.
There was a problem hiding this comment.
Yes, better stick with more moderated terms
|
read and approved... even though I think that "infeasible" is less of a claim than "impossible". |
|
|
||
| <div style="text-align: center;"> | ||
| <img src="../../../img/flash_hash.bmp" alt="TC Flash Hash" width="200"/> | ||
| </div> | ||
|
|
||
| *Example: The blue symbol and words 'tail monkey' represent the firmware region, while 'wrestle over' reflects the user region.* | ||
| *Example: The blue symbol and words 'tail monkey' represents the firmware region, while 'wrestle over' user's region.* |
There was a problem hiding this comment.
"represent" refers to "words", or "words plus image", so "they represent", no trailing "s"
|
|
||
| Krux performs a memory sweep while simultaneously capturing a live feed from the camera. Whenever an empty block is found in the flash memory, Krux estimates the image's entropy by evaluating its color variance. Krux waits until minimum threshold is met, then uses the data from the image to fill these empty spaces with rich, random entropy. | ||
| Use this to enhance tamper detection. Krux performs a memory sweep while capturing a live feed from the camera. Whenever an empty block is found in the flash memory, it uses the data from the image to fill these empty spaces with rich, random entropy. It estimates the image's entropy by evaluating its color variance waiting until a minimum threshold is met. |
There was a problem hiding this comment.
IMO original version text flow better reflects sequence of events. But second is OK
There was a problem hiding this comment.
I think we are used to speaking programmatically, I believe that hiding this information to reveal it later makes it easier for the average user to understand. Even if this is not the correct order of events, we are detailing what was done right after.
| `hash(TC Code,UID,Flash content)` -> Image + Words | ||
|
|
||
| Hash properties ensure that without knowing the *TC Code*, UID, and flash content, an attacker cannot reproduce the TC Flash Hash results. | ||
| The *TC Flash Hash* function securely hashes the combination of the *TC Code*, device's UID, and flash memory contents. The hash properties ensure that without knowing these three elements, an attacker will not be able to reproduce the *TC Flash Hash* results. |
There was a problem hiding this comment.
I've been thinking more from the user's point of view, many are scared of codes and don't even use the command line, so as we've already repeated the information several times I thought removing the function would be better.
| If a wrong *TC Code* is typed at boot, the device will turn off. As storing code typing attempts count on flash would change its contents, there will be no consequences if wrong *TC Code* is typed multiple times. | ||
|
|
||
| As *TC Code* verification data is stored in the user's region of memory, *TC Flash Hash* and *TC Code* requirement is disabled if the user wipes the device. Flashing an older firmware version will also disable the feature. | ||
| By navigating to `Settings -> Security -> TC Flash Hash at Boot`, users can set Krux to always require *TC Flash Hash* verification after device is turned on. If a wrong *TC Code* is typed at boot, the device will turn off. Nothing else will happen if the wrong *TC Code* is entered multiple times. As *TC Code* verification data is stored in the user's region of memory, the requirement to type at boot is disabled if the user [erases user's data](../features/tools.md/#erase-users-data) or [wipe device](../installing/from-gui/usage.md/#wipe-device). Flashing an older firmware version will also disable this feature. |
There was a problem hiding this comment.
For the last statement, maybe: "Flashing an older firmware version, prior to TC Flash Hash support, will also disable this feature."
There was a problem hiding this comment.
It's the same topic or idea. If I change the paragraph, it would indicate a change of emphasis or tone within a topic or it would also give the users a break in their thinking. I believe that with just one paragraph we improve the understanding of the topic.
|
|
||
| - **One-Way Hash Functions:** Cryptographic hash functions like SHA-256 are one-way, making it infeasible to reverse-engineer or manipulate the hash without the original inputs. | ||
|
|
||
| ### Why Tampered Firmware Cannot Bypass Verification | ||
|
|
||
| - **Cannot Reconstruct the Hash:** Without the original flash data, the attacker cannot generate the correct hash, even if they know the UID and *TC Code* after the user enters it. | ||
| - **Cannot Reconstruct the Hash:** Without the original flash data, the attacker cannot generate the correct hash, even if it knows the device's UID and the *TC Code* (after the user enters it). |
There was a problem hiding this comment.
typo, referring to attacker as "it". Maybe "the attacker" could be replace by "attackers"
There was a problem hiding this comment.
or "it knows" could become "they know"
|
|
||
| - **Hash Sensitivity:** Any alteration in the flash content changes the hash output, which will be evident through a different image or tamper detection words. | ||
| - **Hash Sensitivity:** Any alteration in the flash content changes the hash output, which will be evident through a different image or the set of two words. |
There was a problem hiding this comment.
here it's referring to the whole flash, why mention "the set", what set?
There was a problem hiding this comment.
When I read it quickly, I thought that the change in the image represented only the firmware memory space. Sorry, I'll change that.
|
Hey guys, I think I made the changes according to the conversations, the ones that were changed are marked as "outdated". To see the changes easily, take a look at the latest commit. |
What is this PR for?
What is the purpose of this pull request?