introduction.rst (3816B)
1 .. 2 This file is part of Anastasis 3 Copyright (C) 2019-2021 Anastasis SARL 4 5 Anastasis is free software; you can redistribute it and/or modify it under the 6 terms of the GNU Affero General Public License as published by the Free Software 7 Foundation; either version 2.1, or (at your option) any later version. 8 9 Anastasis is distributed in the hope that it will be useful, but WITHOUT ANY 10 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 11 A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. 12 13 You should have received a copy of the GNU Affero General Public License along with 14 Anastasis; see the file COPYING. If not, see <http://www.gnu.org/licenses/> 15 16 @author Christian Grothoff 17 @author Dominik Meister 18 @author Dennis Neufeld 19 20 ============ 21 Introduction 22 ============ 23 24 To understand how Anastasis works, you need to understand three key 25 concepts: user identifiers, our adversary model and the role of the 26 recovery document. 27 28 29 User Identifiers 30 ---------------- 31 32 To uniquely identify users, an "unforgettable" **identifier** is used. This 33 identifier should be difficult to guess for anybody but the user. However, the 34 **identifier** is not expected to have sufficient entropy or secrecy to be 35 cryptographically secure. Examples for such identifier would be a 36 concatenation of the full name of the user and their social security or 37 passport number(s). For Swiss citizens, the AHV number could also be used. 38 39 40 Adversary models 41 ---------------- 42 43 The adversary model of Anastasis has two types of adversaries: weak 44 adversaries which do not know the user's **identifier**, and strong 45 adversaries which somehow do know a user's **identifier**. For weak 46 adversaries the system guarantees full confidentiality. For strong 47 adversaries, breaking confidentiality additionally requires that Anastasis 48 escrow providers must have colluded. The user is able to specify a set of 49 **policies** which determine which Anastasis escrow providers would need to 50 collude to break confidentiality. These policies also set the bar for the user 51 to recover their core secret. 52 53 54 The recovery document 55 --------------------- 56 57 A **recovery document** includes all of the information a user needs 58 to recover access to their core secret. It specifies a set of 59 **escrow methods**, which specify how the user should convince the 60 Anastasis server that they are "real". Escrow methods can for example 61 include SMS-based verification, video identification or a security 62 question. For each escrow method, the Anastasis server is provided 63 with **truth**, that is data the Anastasis operator may learn during 64 the recovery process. Truth always consists of an encrypted key share 65 and associated data to authenticate the user. Examples for truth 66 would be a phone number (for SMS), a picture of the user (for video 67 identification), or the (hash of) a security answer. A strong 68 adversary is assumed to be able to learn the truth, while weak 69 adversaries must not. In addition to a set of escrow methods and 70 associated Anastasis server operators, the **recovery document** also 71 specifies **policies**, which describe the combination(s) of the 72 escrow methods that suffice to obtain access to the core secret. For 73 example, a **policy** could say that the escrow methods (A and B) 74 suffice, and a second policy may permit (A and C). A different user 75 may choose to use the policy that (A and B and C) are all required. 76 Anastasis imposes no limit on the number of policies in a **recovery 77 document**, or the set of providers or escrow methods involved in 78 guarding a user's secret. Weak adversaries must not be able to deduce 79 information about a user's **recovery document** (except for its 80 length, which may be exposed to an adversary which monitors the user's 81 network traffic).