diff --git a/clients/Blog-Client.md b/clients/Blog-Client.md index 79f248fa41037202626c0996f36ce154ddb032fc..25b6beb7161ef586692f216001ad37b65d710e0e 100644 --- a/clients/Blog-Client.md +++ b/clients/Blog-Client.md @@ -60,3 +60,6 @@ The original group ID must be calculated, as it is covered by the signature. The * All posts and comments are shared. * Wrapped posts and wrapped comments are not shared unless they are referenced by a post or comment. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Posts and comments are signed with the identity key pairs of their authors and are not repudiable. Wrapped posts and comments are not repudiable by their original authors. diff --git a/clients/Blog-Sharing-Client.md b/clients/Blog-Sharing-Client.md index 53b8b9ec88bde74f11b87d4fcd0c3b1dd7011caf..a9c60da65c383701272ef04b973d5eff08e0ba6b 100644 --- a/clients/Blog-Sharing-Client.md +++ b/clients/Blog-Sharing-Client.md @@ -72,3 +72,6 @@ Aborting from any state returns the session to the START state. * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Forum-Client.md b/clients/Forum-Client.md index d1e0121e5e4dc6e17a0187ac804801122fb4e2c4..0934f878deb3368fa14421fbe3af4d70a44fb311 100644 --- a/clients/Forum-Client.md +++ b/clients/Forum-Client.md @@ -32,3 +32,6 @@ The signature covers a BDF list with five elements: `groupId` (unique ID), `time * All messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Posts are signed with the identity key pairs of their authors and are not repudiable. diff --git a/clients/Forum-Sharing-Client.md b/clients/Forum-Sharing-Client.md index 718baf79e69b66fb3bf6a4566395b10d8ba36c55..e4f91d07323415d4055b715b986ec094d85ee777 100644 --- a/clients/Forum-Sharing-Client.md +++ b/clients/Forum-Sharing-Client.md @@ -72,3 +72,6 @@ Aborting from any state returns the session to the START state. * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Introduction-Client.md b/clients/Introduction-Client.md index f54b57d3228caa7c23496107cf0c5057de084f42..766be69311fc148e46fc52f81e06d4bd4f9d1e0c 100644 --- a/clients/Introduction-Client.md +++ b/clients/Introduction-Client.md @@ -96,3 +96,20 @@ Introducee state machine: * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity between the introducer and each introducee are provided by the transport security layer ([BTP](/protocols/BTP.md)). + +There is no assurance of confidentiality with respect to the introducer, for any messages sent between the introducees via the introducer as part of this protocol. In other words, the introducer can read all messages she forwards between the introducees. Confidentiality of these messages with respect to any external parties is provided by the transport security layer. + +There is no assurance of integrity or authenticity with respect to the introducer, for any messages sent between the introducees via the introducer as part of this protocol. In particular, the introducer may carry out a **man-in-the-middle attack** against the introducees, by introducing each introducee to an identity controlled by the introducer. In this scenario the introducees will believe that they are communicating with each other via the introducer, when in fact they are communicating with identities controlled by the introducer. The introducer can replace the transport properties sent by the introducees with transport properties controlled by the introducer, so that after the introduction has been completed the introducees will continue to communicate with the introducer instead of with each other. This allows the man-in-the-middle attack to continue against all subsequent communication between the introducees. + +To carry out such an attack, the introducee must create two identities that are distinct from the identities of the introducees, and must include these identities in the initial request messages sent to the introducees. + +If the introducees meet in person at any time after the introduction has been completed, they can check that the introducer did not carry out a man-in-the-middle attack by comparing each other's identities with the identities received from the introducer. + +The transport keys that the introducees derive during the introduction are used to ensure the confidentiality, integrity and authenticity of communication between the introducees after the introduction has been completed. To ensure the forward secrecy of this subsequent communication, the introducees must both delete their ephemeral private keys before using the transport keys. + +Each introducee can ensure that the transport keys are not used until the ephemeral private keys have been deleted by marking the transport keys as inactive (ie not eligible to be used for securing outgoing BTP streams) until either (a) the other introducee's activate message is received via the introducer and its MAC is validated, or (b) an incoming BTP stream secured with the transport keys in question is received. + +In the latter case, receipt of a stream secured with the transport keys indirectly indicates that the other introducee has received and validated this introducee's activate message and sent its own activate message, and thus the keys are safe to use, even though the other introducee's activate message may still be in transit. diff --git a/clients/Messaging-Client.md b/clients/Messaging-Client.md index b10a91a16f5caf75b3d73d57e838427d25d819e1..0b370d90aa8f18300f38ee31c96b3c0c045b4168 100644 --- a/clients/Messaging-Client.md +++ b/clients/Messaging-Client.md @@ -26,3 +26,6 @@ The client uses a separate BSP group for communicating with each contact. The [g * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Private-Group-Client.md b/clients/Private-Group-Client.md index a313db036a7f04c8c021b2ba98a98bcf3b3f0c49..4fbe4f6340e0382f4b7bc1781c14b04b871800cb 100644 --- a/clients/Private-Group-Client.md +++ b/clients/Private-Group-Client.md @@ -47,3 +47,6 @@ The signature covers a BDF list with six elements: `groupId` (unique ID), `times * All messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). A join message is signed with the identity key pair of the member and is not repudiable. The `invite` element of a join message is signed with the identity key pair of the group creator and is not repudiable. Posts are signed with the identity key pair of their authors and are not repudiable. diff --git a/clients/Private-Group-Sharing-Client.md b/clients/Private-Group-Sharing-Client.md index d27dad877ef74f5b6c1de1f25b49b5646453eba0..23d10f0a4c2afc71b59e883698f38641c694173a 100644 --- a/clients/Private-Group-Sharing-Client.md +++ b/clients/Private-Group-Sharing-Client.md @@ -85,3 +85,6 @@ Peer state machine: * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Invite messages are signed with the identity key pair of the group creator and are not repudiable. The other messages used by this client are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Transport-Key-Agreement-Client.md b/clients/Transport-Key-Agreement-Client.md index 0d7f569e1bea81d99be53d26a9945c8644244c9f..ab7101a2fbc72cc3048d7f85aecd7fd750cd63d6 100644 --- a/clients/Transport-Key-Agreement-Client.md +++ b/clients/Transport-Key-Agreement-Client.md @@ -39,6 +39,10 @@ The protocol uses two message types. * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. + ### State machine  diff --git a/clients/Transport-Properties-Client.md b/clients/Transport-Properties-Client.md index 9f58e07883c10b3a3b0ebfd41abc31da5516c522..0d8fa73daf0e5c35fc1a6e0185a7defc3d8f06d1 100644 --- a/clients/Transport-Properties-Client.md +++ b/clients/Transport-Properties-Client.md @@ -32,3 +32,6 @@ The client also uses a group with an empty descriptor for storing local transpor * In the groups shared with contacts, all local messages are shared. * In the unshared group, no messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client.