aboutsummaryrefslogtreecommitdiff
path: root/doc/anastasis.texi
diff options
context:
space:
mode:
Diffstat (limited to 'doc/anastasis.texi')
-rw-r--r--doc/anastasis.texi65
1 files changed, 34 insertions, 31 deletions
diff --git a/doc/anastasis.texi b/doc/anastasis.texi
index a5d8b11..c103f7a 100644
--- a/doc/anastasis.texi
+++ b/doc/anastasis.texi
@@ -424,27 +424,31 @@ to recover their core secret.
424@subsection The recovery document 424@subsection The recovery document
425 425
426 426
427A @strong{recovery document} includes all of the information a user needs to 427A @strong{recovery document} includes all of the information a user
428recover access to their core secret. It specifies a set of @strong{escrow 428needs to recover access to their core secret. It specifies a set of
429methods}, which specify how the user should convince the Anastasis server 429@strong{escrow methods}, which specify how the user should convince
430that they are “real”. Escrow methods can for example include SMS-based 430the Anastasis server that they are “real”. Escrow methods can for
431verification, video identification or a security question. For each escrow 431example include SMS-based verification, video identification or a
432method, the Anastasis server is provided with @strong{truth}, that is data the 432security question. For each escrow method, the Anastasis server is
433Anastasis operator may learn during the recovery process to authenticate the 433provided with @strong{truth}, that is data the Anastasis operator may
434user. Examples for truth would be a phone number (for SMS), a picture of the 434learn during the recovery process. Truth always consists of an
435user (for video identification), or the (hash of) a security answer. A strong 435encrypted key share and associated data to authenticate the user.
436adversary is assumed to be able to learn the truth, while weak adversaries 436Examples for truth would be a phone number (for SMS), a picture of the
437must not. In addition to a set of escrow methods and associated Anastasis 437user (for video identification), or the (hash of) a security answer.
438server operators, the @strong{recovery document} also specifies @strong{policies}, which 438A strong adversary is assumed to be able to learn the truth, while
439describe the combination(s) of the escrow methods that suffice to obtain 439weak adversaries must not. In addition to a set of escrow methods and
440access to the core secret. For example, a @strong{policy} could say that the 440associated Anastasis server operators, the @strong{recovery document}
441escrow methods (A and B) suffice, and a second policy may permit (A and C). A 441also specifies @strong{policies}, which describe the combination(s) of
442different user may choose to use the policy that (A and B and C) are all 442the escrow methods that suffice to obtain access to the core secret.
443For example, a @strong{policy} could say that the escrow methods (A
444and B) suffice, and a second policy may permit (A and C). A different
445user may choose to use the policy that (A and B and C) are all
443required. Anastasis imposes no limit on the number of policies in a 446required. Anastasis imposes no limit on the number of policies in a
444@strong{recovery document}, or the set of providers or escrow methods involved in 447@strong{recovery document}, or the set of providers or escrow methods
445guarding a user’s secret. Weak adversaries must not be able to deduce 448involved in guarding a user’s secret. Weak adversaries must not be
446information about a user’s @strong{recovery document} (except for its length, which 449able to deduce information about a user’s @strong{recovery document}
447may be exposed to an adversary which monitors the user’s network traffic). 450(except for its length, which may be exposed to an adversary which
451monitors the user’s network traffic).
448 452
449@c This file is part of Anastasis 453@c This file is part of Anastasis
450@c Copyright (C) 2019-2021 Anastasis SARL 454@c Copyright (C) 2019-2021 Anastasis SARL
@@ -2269,9 +2273,15 @@ interface DecryptionPolicy @{
2269@anchor{rest managing-truth}@anchor{51}@anchor{rest truth}@anchor{52} 2273@anchor{rest managing-truth}@anchor{51}@anchor{rest truth}@anchor{52}
2270@subsubsection Managing truth 2274@subsubsection Managing truth
2271 2275
2276Truth always consists of an encrypted key share and encrypted
2277authentication data. The key share and the authentication data
2278are encrypted using different keys. Additionally, truth includes
2279the name of the authentication method, the mime-type of the
2280authentication data, and an expiration time in
2281cleartext.
2272 2282
2273This API is used by the Anastasis client to deposit @strong{truth} or request a (encrypted) @strong{key share} with 2283This API is used by the Anastasis client to deposit @strong{truth} or
2274the escrow provider. 2284request a (encrypted) @strong{key share} with the escrow provider.
2275 2285
2276An @strong{escrow method} specifies an Anastasis provider and how the user should 2286An @strong{escrow method} specifies an Anastasis provider and how the user should
2277authorize themself. The @strong{truth} API allows the user to provide the 2287authorize themself. The @strong{truth} API allows the user to provide the
@@ -2343,13 +2353,6 @@ interface TruthUploadRequest @{
2343 // Key share method, i.e. "security question", "SMS", "e-mail", ... 2353 // Key share method, i.e. "security question", "SMS", "e-mail", ...
2344 type: string; 2354 type: string;
2345 2355
2346 // Nonce used to compute the (iv,key) pair for encryption of the
2347 // encrypted_truth.
2348 nonce: [32]; //bytearray
2349
2350 // Authentication tag of `@w{`}encrypted_truth`@w{`}.
2351 aes_gcm_tag: [16]; //bytearray
2352
2353 // Variable-size truth. After decryption, 2356 // Variable-size truth. After decryption,
2354 // this contains the ground truth, i.e. H(challenge answer), 2357 // this contains the ground truth, i.e. H(challenge answer),
2355 // phone number, e-mail address, picture, fingerprint, ... 2358 // phone number, e-mail address, picture, fingerprint, ...
@@ -2357,10 +2360,10 @@ interface TruthUploadRequest @{
2357 // 2360 //
2358 // The nonce of the HKDF for this encryption must include the 2361 // The nonce of the HKDF for this encryption must include the
2359 // string "ECT". 2362 // string "ECT".
2360 encrypted_truth: [80]; //bytearray 2363 encrypted_truth: []; //bytearray
2361 2364
2362 // MIME type of truth, i.e. text/ascii, image/jpeg, etc. 2365 // MIME type of truth, i.e. text/ascii, image/jpeg, etc.
2363 truth_mime: string; 2366 truth_mime?: string;
2364 2367
2365 // For how many years from now would the client like us to 2368 // For how many years from now would the client like us to
2366 // store the truth? 2369 // store the truth?