1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
..
This file is part of Anastasis
Copyright (C) 2019-2021 Anastasis SARL
Anastasis is free software; you can redistribute it and/or modify it under the
terms of the GNU Affero General Public License as published by the Free Software
Foundation; either version 2.1, or (at your option) any later version.
Anastasis is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with
Anastasis; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
@author Christian Grothoff
@author Dominik Meister
@author Dennis Neufeld
============
Introduction
============
To understand how Anastasis works, you need to understand three key
concepts: user identifiers, our adversary model and the role of the
recovery document.
User Identifiers
----------------
To uniquely identify users, an "unforgettable" **identifier** is used. This
identifier should be difficult to guess for anybody but the user. However, the
**identifier** is not expected to have sufficient entropy or secrecy to be
cryptographically secure. Examples for such identifier would be a
concatenation of the full name of the user and their social security or
passport number(s). For Swiss citizens, the AHV number could also be used.
Adversary models
----------------
The adversary model of Anastasis has two types of adversaries: weak
adversaries which do not know the user's **identifier**, and strong
adversaries which somehow do know a user's **identifier**. For weak
adversaries the system guarantees full confidentiality. For strong
adversaries, breaking confidentiality additionally requires that Anastasis
escrow providers must have colluded. The user is able to specify a set of
**policies** which determine which Anastasis escrow providers would need to
collude to break confidentiality. These policies also set the bar for the user
to recover their core secret.
The recovery document
---------------------
A **recovery document** includes all of the information a user needs to
recover access to their core secret. It specifies a set of **escrow
methods**, which specify how the user should convince the Anastasis server
that they are "real". Escrow methods can for example include SMS-based
verification, video identification or a security question. For each escrow
method, the Anastasis server is provided with **truth**, that is data the
Anastasis operator may learn during the recovery process to authenticate the
user. Examples for truth would be a phone number (for SMS), a picture of the
user (for video identification), or the (hash of) a security answer. A strong
adversary is assumed to be able to learn the truth, while weak adversaries
must not. In addition to a set of escrow methods and associated Anastasis
server operators, the **recovery document** also specifies **policies**, which
describe the combination(s) of the escrow methods that suffice to obtain
access to the core secret. For example, a **policy** could say that the
escrow methods (A and B) suffice, and a second policy may permit (A and C). A
different user may choose to use the policy that (A and B and C) are all
required. Anastasis imposes no limit on the number of policies in a
**recovery document**, or the set of providers or escrow methods involved in
guarding a user's secret. Weak adversaries must not be able to deduce
information about a user's **recovery document** (except for its length, which
may be exposed to an adversary which monitors the user's network traffic).
|