summaryrefslogtreecommitdiff
path: root/doc/sphinx/introduction.rst
blob: bfff83a1d217f36ad2386285bacc7fd98e936f9d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
..
  This file is part of Anastasis
  Copyright (C) 2019-2021 Anastasis SARL

  Anastasis is free software; you can redistribute it and/or modify it under the
  terms of the GNU Affero General Public License as published by the Free Software
  Foundation; either version 2.1, or (at your option) any later version.

  Anastasis is distributed in the hope that it will be useful, but WITHOUT ANY
  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
  A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more details.

  You should have received a copy of the GNU Affero General Public License along with
  Anastasis; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>

  @author Christian Grothoff
  @author Dominik Meister
  @author Dennis Neufeld

============
Introduction
============

To understand how Anastasis works, you need to understand three key
concepts: user identifiers, our adversary model and the role of the
recovery document.


User Identifiers
----------------

To uniquely identify users, an "unforgettable" **identifier** is used.  This
identifier should be difficult to guess for anybody but the user. However, the
**identifier** is not expected to have sufficient entropy or secrecy to be
cryptographically secure. Examples for such identifier would be a
concatenation of the full name of the user and their social security or
passport number(s).  For Swiss citizens, the AHV number could also be used.


Adversary models
----------------

The adversary model of Anastasis has two types of adversaries: weak
adversaries which do not know the user's **identifier**, and strong
adversaries which somehow do know a user's **identifier**.  For weak
adversaries the system guarantees full confidentiality.  For strong
adversaries, breaking confidentiality additionally requires that Anastasis
escrow providers must have colluded.  The user is able to specify a set of
**policies** which determine which Anastasis escrow providers would need to
collude to break confidentiality. These policies also set the bar for the user
to recover their core secret.


The recovery document
---------------------

A **recovery document** includes all of the information a user needs to
recover access to their core secret.  It specifies a set of **escrow
methods**, which specify how the user should convince the Anastasis server
that they are "real".  Escrow methods can for example include SMS-based
verification, video identification or a security question.  For each escrow
method, the Anastasis server is provided with **truth**, that is data the
Anastasis operator may learn during the recovery process to authenticate the
user.  Examples for truth would be a phone number (for SMS), a picture of the
user (for video identification), or the (hash of) a security answer.  A strong
adversary is assumed to be able to learn the truth, while weak adversaries
must not.  In addition to a set of escrow methods and associated Anastasis
server operators, the **recovery document** also specifies **policies**, which
describe the combination(s) of the escrow methods that suffice to obtain
access to the core secret.  For example, a **policy** could say that the
escrow methods (A and B) suffice, and a second policy may permit (A and C).  A
different user may choose to use the policy that (A and B and C) are all
required.  Anastasis imposes no limit on the number of policies in a
**recovery document**, or the set of providers or escrow methods involved in
guarding a user's secret.  Weak adversaries must not be able to deduce
information about a user's **recovery document** (except for its length, which
may be exposed to an adversary which monitors the user's network traffic).