009-backup.rst (7290B)
1 DD 09: Wallet Backup 2 #################### 3 4 Summary 5 ======= 6 7 This document describes the backup system used by Taler wallets. 8 This is the second, simplified iteration of the proposal, which leaves 9 out multi-device synchronization. 10 11 12 Requirements 13 ============ 14 15 * Backup must work both with and without Anastasis. 16 17 * When not using Anastasis, the user is responsible for keeping 18 their wallet's **root secret** safe. 19 20 * Arbitrary number of backup providers must be supported. 21 * Minimize information leaks / timing side channels. 22 23 * User might be able to change some setting to allow more frequent 24 backup with less potential data loss but more leakage. 25 26 * Minimize potential to lose money or important information. 27 * Since real-time sync is not supported yet, wallets should have a feature 28 where their whole content is "emptied" to another wallet, and the wallet is 29 reset. 30 31 .. Note:: 32 CG: This boils down to the existing 'reset' button (developer mode). 33 Very dangerous. Could be OK if we had some way to notice the number of wallets 34 using the same backup and then allow this 'reset' as longa as # wallets > 1. 35 Still, doing so will require a handshake with the other wallets to ensure 36 that the user doesn't accidentally reset on both wallets at the same time, 37 each believing the other wallet is still sync'ed. So we would need like 38 a 2-phase commit "planning to remove", "acknowledged" (by other wallet), "remove". 39 Very bad UX without real-time sync. 40 41 * Even without real-time sync, the backup data must support merging with old, existing wallet 42 state, as the device that the wallet runs on may be restored from backup or be offline 43 for a long time. 44 45 46 Solution Overview 47 ================= 48 49 Each wallet has a 64 (CG: 32 should be enough, AND better for URLs/QR codes/printing/writing down) 50 byte wallet **root secret**, which is used to derive all other secrets 51 used during backup, which are currently: 52 53 1. The private **account key** for a sync provider, derived using the sync provider's base URL as salt. 54 The base URL must be normalized to end with a "/". The schema ("http://" or "https://") is part of the 55 base URL, thus different account keys would be used for "http://" vs. "https://" (reduces linkability). 56 2. The **symmetric key** used to encrypt/decrypt the backup blob. FIXME: document exact KDF salt here 57 once implemented. 58 59 If the user chooses to use Anastasis, the following information is backed up in Anastasis 60 (as the **core secret** in Anastasis terminology): 61 62 * Taler Wallet core secret tag (new GANA registry) and format version 63 * List of used backup providers (sync) 64 * Wallet root secret 65 * **Tor constraint** (boolean) advising wallets that the backup should only be accessed via 66 Tor and that users must be warned before attempting to restore the backup without Tor. 67 68 69 Supported Operations 70 -------------------- 71 72 * **restore-from-anastasis**: Start Anastasis recovery process. 73 This requires the wallet backup state to be uninitialized. 74 FIXME: The last sentence makes no sense, as the user may have to pay for recovery! 75 * **restore-from-recovery-secret**: This requires the wallet backup state to be uninitialized. 76 FIXME: Again, I do not think we can require this. User could make backup, 77 then loose device. Create new wallet. Use new wallet (including making 78 yet another backup). THEN user remembers that he 79 had a backup (or find root key) and now want to restore backup. This should 80 MERGE the two states (you can consider it a 'poor' version of 'sync'). Note 81 that the lost device cannot 'abandon' the backed up state here! 82 * **add-provider** / **remove-provider**: Add/remove a sync provider from the 83 list of providers. Adding a provider will cause payment(s) to the provider 84 to be scheduled according to the provider's terms. If the wallet backup 85 state is "uninitialized", adding a provider will set the backup state to 86 "initialized" with a fresh wallet root key. Changing the provider list will 87 also update the sync provider URL list in the Anastasis core secret (forcing 88 a new policy to be uploaded). 89 * **abandon** / **takeover**: When the user wants to stop using a wallet on a particular 90 device, another wallet can "take over" by reading the recovery secret of the abandoned wallet. 91 The abandoned wallet marks explicitly in its backup blob that it is abandoned. 92 Abandoning a wallet will set the backup state to "uninitialized". 93 * **backup**: Do a backup cycle. Uploads the latest wallet state to all 94 sync providers. If sync provider state has changed unexpectedly, downloads 95 backup, merges, and then uploads the reconciled state. 96 * **rekey**: Change to a new wallet root secret, in case the old one has been 97 compromised. Only protectes future funds of the wallet from being 98 compromised. Requires a new payment to all configured sync providers. 99 * **backup-to-anastasis** is missing. 100 101 102 103 Backup Format 104 ------------- 105 106 TBD. Considerations from :doc:`005-wallet-backup-sync` still apply, 107 especially regarding the CRDT. 108 109 110 Initial User Experience 111 ----------------------- 112 113 The user will be asked to set up backup&sync (by selecting a provider) 114 after the first withdrawal operation has been confirmed. After selecting 115 the backup&sync providers, the user will be presented with a "checklist" that 116 contains an option to (1) show/print the recovery secret and (2) set up Anastasis. 117 118 The wallet will initially only withdraw enough money to pay the 119 backup&sync/anastasis providers. Only after successful backup of the wallet's 120 signed planchets, the full withdrawal will be completed. 121 122 123 Open Questions 124 ============== 125 126 * Should the exchange tell the wallet about available sync/Anastasis providers? 127 Otherwise, what do we do if the wallet does not know any providers for the 128 currency of the user? 129 * Should the wallet root secret and wallet database be locally encrypted 130 and protected via a passphrase? 131 * What happens if the same Anastasis user has multiple wallets? Can Anastasis somehow 132 support multiple "instances" per application? 133 134 .. Note:: 135 CG would definitively solve this using a more complex format for the **master secret**, 136 basically serializing multiple **root secret** values with meta data 137 (which wallet/device/name). 138 139 140 Future Work / Ideas 141 =================== 142 143 * Incremental backups? 144 145 * Instead of one big blob that always needs to be read/written, we could have (1) a 146 limited length append-only journal and (2) a merkle tree so that the backup blob can 147 be updated incrementally once the journal is full. 148 * Leaks more information and is more complex. 149 150 * Mult-device synchronization, with synchronous communication either over some signaling server 151 or P2P connectivity (WebRTC, etc.) 152 153 * Destroys the "wallet" metaphor, now the wallet is more like an account. 154 * We should first agree on the requirements from the perspective of end users 155 * P2P payments in Taler might also make sync less important 156 * Maybe only parts of the state (purchases / contracts, but not coins) should be synchronized? 157 * WhatsApp web model: The wallet runs only on one devices, but other devices 158 can connect to it as clients. (Allows my browser wallet to temporarily access 159 money from my phone wallet and vice versa.)