diff options
Diffstat (limited to 'doc/anastasis.texi')
-rw-r--r-- | doc/anastasis.texi | 65 |
1 files changed, 34 insertions, 31 deletions
diff --git a/doc/anastasis.texi b/doc/anastasis.texi index a5d8b11..c103f7a 100644 --- a/doc/anastasis.texi +++ b/doc/anastasis.texi | |||
@@ -424,27 +424,31 @@ to recover their core secret. | |||
424 | @subsection The recovery document | 424 | @subsection The recovery document |
425 | 425 | ||
426 | 426 | ||
427 | A @strong{recovery document} includes all of the information a user needs to | 427 | A @strong{recovery document} includes all of the information a user |
428 | recover access to their core secret. It specifies a set of @strong{escrow | 428 | needs to recover access to their core secret. It specifies a set of |
429 | methods}, which specify how the user should convince the Anastasis server | 429 | @strong{escrow methods}, which specify how the user should convince |
430 | that they are “real”. Escrow methods can for example include SMS-based | 430 | the Anastasis server that they are “real”. Escrow methods can for |
431 | verification, video identification or a security question. For each escrow | 431 | example include SMS-based verification, video identification or a |
432 | method, the Anastasis server is provided with @strong{truth}, that is data the | 432 | security question. For each escrow method, the Anastasis server is |
433 | Anastasis operator may learn during the recovery process to authenticate the | 433 | provided with @strong{truth}, that is data the Anastasis operator may |
434 | user. Examples for truth would be a phone number (for SMS), a picture of the | 434 | learn during the recovery process. Truth always consists of an |
435 | user (for video identification), or the (hash of) a security answer. A strong | 435 | encrypted key share and associated data to authenticate the user. |
436 | adversary is assumed to be able to learn the truth, while weak adversaries | 436 | Examples for truth would be a phone number (for SMS), a picture of the |
437 | must not. In addition to a set of escrow methods and associated Anastasis | 437 | user (for video identification), or the (hash of) a security answer. |
438 | server operators, the @strong{recovery document} also specifies @strong{policies}, which | 438 | A strong adversary is assumed to be able to learn the truth, while |
439 | describe the combination(s) of the escrow methods that suffice to obtain | 439 | weak adversaries must not. In addition to a set of escrow methods and |
440 | access to the core secret. For example, a @strong{policy} could say that the | 440 | associated Anastasis server operators, the @strong{recovery document} |
441 | escrow methods (A and B) suffice, and a second policy may permit (A and C). A | 441 | also specifies @strong{policies}, which describe the combination(s) of |
442 | different user may choose to use the policy that (A and B and C) are all | 442 | the escrow methods that suffice to obtain access to the core secret. |
443 | For example, a @strong{policy} could say that the escrow methods (A | ||
444 | and B) suffice, and a second policy may permit (A and C). A different | ||
445 | user may choose to use the policy that (A and B and C) are all | ||
443 | required. Anastasis imposes no limit on the number of policies in a | 446 | required. Anastasis imposes no limit on the number of policies in a |
444 | @strong{recovery document}, or the set of providers or escrow methods involved in | 447 | @strong{recovery document}, or the set of providers or escrow methods |
445 | guarding a user’s secret. Weak adversaries must not be able to deduce | 448 | involved in guarding a user’s secret. Weak adversaries must not be |
446 | information about a user’s @strong{recovery document} (except for its length, which | 449 | able to deduce information about a user’s @strong{recovery document} |
447 | may be exposed to an adversary which monitors the user’s network traffic). | 450 | (except for its length, which may be exposed to an adversary which |
451 | monitors the user’s network traffic). | ||
448 | 452 | ||
449 | @c This file is part of Anastasis | 453 | @c This file is part of Anastasis |
450 | @c Copyright (C) 2019-2021 Anastasis SARL | 454 | @c Copyright (C) 2019-2021 Anastasis SARL |
@@ -2269,9 +2273,15 @@ interface DecryptionPolicy @{ | |||
2269 | @anchor{rest managing-truth}@anchor{51}@anchor{rest truth}@anchor{52} | 2273 | @anchor{rest managing-truth}@anchor{51}@anchor{rest truth}@anchor{52} |
2270 | @subsubsection Managing truth | 2274 | @subsubsection Managing truth |
2271 | 2275 | ||
2276 | Truth always consists of an encrypted key share and encrypted | ||
2277 | authentication data. The key share and the authentication data | ||
2278 | are encrypted using different keys. Additionally, truth includes | ||
2279 | the name of the authentication method, the mime-type of the | ||
2280 | authentication data, and an expiration time in | ||
2281 | cleartext. | ||
2272 | 2282 | ||
2273 | This API is used by the Anastasis client to deposit @strong{truth} or request a (encrypted) @strong{key share} with | 2283 | This API is used by the Anastasis client to deposit @strong{truth} or |
2274 | the escrow provider. | 2284 | request a (encrypted) @strong{key share} with the escrow provider. |
2275 | 2285 | ||
2276 | An @strong{escrow method} specifies an Anastasis provider and how the user should | 2286 | An @strong{escrow method} specifies an Anastasis provider and how the user should |
2277 | authorize themself. The @strong{truth} API allows the user to provide the | 2287 | authorize themself. The @strong{truth} API allows the user to provide the |
@@ -2343,13 +2353,6 @@ interface TruthUploadRequest @{ | |||
2343 | // Key share method, i.e. "security question", "SMS", "e-mail", ... | 2353 | // Key share method, i.e. "security question", "SMS", "e-mail", ... |
2344 | type: string; | 2354 | type: string; |
2345 | 2355 | ||
2346 | // Nonce used to compute the (iv,key) pair for encryption of the | ||
2347 | // encrypted_truth. | ||
2348 | nonce: [32]; //bytearray | ||
2349 | |||
2350 | // Authentication tag of `@w{`}encrypted_truth`@w{`}. | ||
2351 | aes_gcm_tag: [16]; //bytearray | ||
2352 | |||
2353 | // Variable-size truth. After decryption, | 2356 | // Variable-size truth. After decryption, |
2354 | // this contains the ground truth, i.e. H(challenge answer), | 2357 | // this contains the ground truth, i.e. H(challenge answer), |
2355 | // phone number, e-mail address, picture, fingerprint, ... | 2358 | // phone number, e-mail address, picture, fingerprint, ... |
@@ -2357,10 +2360,10 @@ interface TruthUploadRequest @{ | |||
2357 | // | 2360 | // |
2358 | // The nonce of the HKDF for this encryption must include the | 2361 | // The nonce of the HKDF for this encryption must include the |
2359 | // string "ECT". | 2362 | // string "ECT". |
2360 | encrypted_truth: [80]; //bytearray | 2363 | encrypted_truth: []; //bytearray |
2361 | 2364 | ||
2362 | // MIME type of truth, i.e. text/ascii, image/jpeg, etc. | 2365 | // MIME type of truth, i.e. text/ascii, image/jpeg, etc. |
2363 | truth_mime: string; | 2366 | truth_mime?: string; |
2364 | 2367 | ||
2365 | // For how many years from now would the client like us to | 2368 | // For how many years from now would the client like us to |
2366 | // store the truth? | 2369 | // store the truth? |