1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
..
This file is part of Anastasis
Copyright (C) 2019-2021 Anastasis SARL
Anastasis is free software; you can redistribute it and/or modify it under the
terms of the GNU Affero General Public License as published by the Free Software
Foundation; either version 2.1, or (at your option) any later version.
Anastasis is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with
Anastasis; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
@author Christian Grothoff
@author Dominik Meister
@author Dennis Neufeld
============
Introduction
============
To understand how Anastasis works, you need to understand three key
concepts: user identifiers, our adversary model and the role of the
recovery document.
User Identifiers
----------------
To uniquely identify users, an "unforgettable" **identifier** is used. This
identifier should be difficult to guess for anybody but the user. However, the
**identifier** is not expected to have sufficient entropy or secrecy to be
cryptographically secure. Examples for such identifier would be a
concatenation of the full name of the user and their social security or
passport number(s). For Swiss citizens, the AHV number could also be used.
Adversary models
----------------
The adversary model of Anastasis has two types of adversaries: weak
adversaries which do not know the user's **identifier**, and strong
adversaries which somehow do know a user's **identifier**. For weak
adversaries the system guarantees full confidentiality. For strong
adversaries, breaking confidentiality additionally requires that Anastasis
escrow providers must have colluded. The user is able to specify a set of
**policies** which determine which Anastasis escrow providers would need to
collude to break confidentiality. These policies also set the bar for the user
to recover their core secret.
The recovery document
---------------------
A **recovery document** includes all of the information a user needs
to recover access to their core secret. It specifies a set of
**escrow methods**, which specify how the user should convince the
Anastasis server that they are "real". Escrow methods can for example
include SMS-based verification, video identification or a security
question. For each escrow method, the Anastasis server is provided
with **truth**, that is data the Anastasis operator may learn during
the recovery process. Truth always consists of an encrypted key share
and associated data to authenticate the user. Examples for truth
would be a phone number (for SMS), a picture of the user (for video
identification), or the (hash of) a security answer. A strong
adversary is assumed to be able to learn the truth, while weak
adversaries must not. In addition to a set of escrow methods and
associated Anastasis server operators, the **recovery document** also
specifies **policies**, which describe the combination(s) of the
escrow methods that suffice to obtain access to the core secret. For
example, a **policy** could say that the escrow methods (A and B)
suffice, and a second policy may permit (A and C). A different user
may choose to use the policy that (A and B and C) are all required.
Anastasis imposes no limit on the number of policies in a **recovery
document**, or the set of providers or escrow methods involved in
guarding a user's secret. Weak adversaries must not be able to deduce
information about a user's **recovery document** (except for its
length, which may be exposed to an adversary which monitors the user's
network traffic).
|
