From 4c0b3b20c6ccda76838518a0db5b7b30653ea894 Mon Sep 17 00:00:00 2001 From: akwizgran <michael@briarproject.org> Date: Fri, 16 Feb 2024 15:41:02 +0000 Subject: [PATCH] Add security properties section to client specs. --- clients/Blog-Client.md | 3 +++ clients/Blog-Sharing-Client.md | 3 +++ clients/Forum-Client.md | 3 +++ clients/Forum-Sharing-Client.md | 3 +++ clients/Introduction-Client.md | 17 +++++++++++++++++ clients/Messaging-Client.md | 3 +++ clients/Private-Group-Client.md | 3 +++ clients/Private-Group-Sharing-Client.md | 3 +++ clients/Transport-Key-Agreement-Client.md | 4 ++++ clients/Transport-Properties-Client.md | 3 +++ 10 files changed, 45 insertions(+) diff --git a/clients/Blog-Client.md b/clients/Blog-Client.md index 79f248f..25b6beb 100644 --- a/clients/Blog-Client.md +++ b/clients/Blog-Client.md @@ -60,3 +60,6 @@ The original group ID must be calculated, as it is covered by the signature. The * All posts and comments are shared. * Wrapped posts and wrapped comments are not shared unless they are referenced by a post or comment. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Posts and comments are signed with the identity key pairs of their authors and are not repudiable. Wrapped posts and comments are not repudiable by their original authors. diff --git a/clients/Blog-Sharing-Client.md b/clients/Blog-Sharing-Client.md index 53b8b9e..a9c60da 100644 --- a/clients/Blog-Sharing-Client.md +++ b/clients/Blog-Sharing-Client.md @@ -72,3 +72,6 @@ Aborting from any state returns the session to the START state. * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Forum-Client.md b/clients/Forum-Client.md index d1e0121..0934f87 100644 --- a/clients/Forum-Client.md +++ b/clients/Forum-Client.md @@ -32,3 +32,6 @@ The signature covers a BDF list with five elements: `groupId` (unique ID), `time * All messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Posts are signed with the identity key pairs of their authors and are not repudiable. diff --git a/clients/Forum-Sharing-Client.md b/clients/Forum-Sharing-Client.md index 718baf7..e4f91d0 100644 --- a/clients/Forum-Sharing-Client.md +++ b/clients/Forum-Sharing-Client.md @@ -72,3 +72,6 @@ Aborting from any state returns the session to the START state. * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Introduction-Client.md b/clients/Introduction-Client.md index f54b57d..766be69 100644 --- a/clients/Introduction-Client.md +++ b/clients/Introduction-Client.md @@ -96,3 +96,20 @@ Introducee state machine: * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity between the introducer and each introducee are provided by the transport security layer ([BTP](/protocols/BTP.md)). + +There is no assurance of confidentiality with respect to the introducer, for any messages sent between the introducees via the introducer as part of this protocol. In other words, the introducer can read all messages she forwards between the introducees. Confidentiality of these messages with respect to any external parties is provided by the transport security layer. + +There is no assurance of integrity or authenticity with respect to the introducer, for any messages sent between the introducees via the introducer as part of this protocol. In particular, the introducer may carry out a **man-in-the-middle attack** against the introducees, by introducing each introducee to an identity controlled by the introducer. In this scenario the introducees will believe that they are communicating with each other via the introducer, when in fact they are communicating with identities controlled by the introducer. The introducer can replace the transport properties sent by the introducees with transport properties controlled by the introducer, so that after the introduction has been completed the introducees will continue to communicate with the introducer instead of with each other. This allows the man-in-the-middle attack to continue against all subsequent communication between the introducees. + +To carry out such an attack, the introducee must create two identities that are distinct from the identities of the introducees, and must include these identities in the initial request messages sent to the introducees. + +If the introducees meet in person at any time after the introduction has been completed, they can check that the introducer did not carry out a man-in-the-middle attack by comparing each other's identities with the identities received from the introducer. + +The transport keys that the introducees derive during the introduction are used to ensure the confidentiality, integrity and authenticity of communication between the introducees after the introduction has been completed. To ensure the forward secrecy of this subsequent communication, the introducees must both delete their ephemeral private keys before using the transport keys. + +Each introducee can ensure that the transport keys are not used until the ephemeral private keys have been deleted by marking the transport keys as inactive (ie not eligible to be used for securing outgoing BTP streams) until either (a) the other introducee's activate message is received via the introducer and its MAC is validated, or (b) an incoming BTP stream secured with the transport keys in question is received. + +In the latter case, receipt of a stream secured with the transport keys indirectly indicates that the other introducee has received and validated this introducee's activate message and sent its own activate message, and thus the keys are safe to use, even though the other introducee's activate message may still be in transit. diff --git a/clients/Messaging-Client.md b/clients/Messaging-Client.md index b10a91a..0b370d9 100644 --- a/clients/Messaging-Client.md +++ b/clients/Messaging-Client.md @@ -26,3 +26,6 @@ The client uses a separate BSP group for communicating with each contact. The [g * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Private-Group-Client.md b/clients/Private-Group-Client.md index a313db0..4fbe4f6 100644 --- a/clients/Private-Group-Client.md +++ b/clients/Private-Group-Client.md @@ -47,3 +47,6 @@ The signature covers a BDF list with six elements: `groupId` (unique ID), `times * All messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). A join message is signed with the identity key pair of the member and is not repudiable. The `invite` element of a join message is signed with the identity key pair of the group creator and is not repudiable. Posts are signed with the identity key pair of their authors and are not repudiable. diff --git a/clients/Private-Group-Sharing-Client.md b/clients/Private-Group-Sharing-Client.md index d27dad8..23d10f0 100644 --- a/clients/Private-Group-Sharing-Client.md +++ b/clients/Private-Group-Sharing-Client.md @@ -85,3 +85,6 @@ Peer state machine: * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Invite messages are signed with the identity key pair of the group creator and are not repudiable. The other messages used by this client are repudiable, but this is not a security goal and may change in future versions of the client. diff --git a/clients/Transport-Key-Agreement-Client.md b/clients/Transport-Key-Agreement-Client.md index 0d7f569..ab7101a 100644 --- a/clients/Transport-Key-Agreement-Client.md +++ b/clients/Transport-Key-Agreement-Client.md @@ -39,6 +39,10 @@ The protocol uses two message types. * All local messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. + ### State machine  diff --git a/clients/Transport-Properties-Client.md b/clients/Transport-Properties-Client.md index 9f58e07..0d8fa73 100644 --- a/clients/Transport-Properties-Client.md +++ b/clients/Transport-Properties-Client.md @@ -32,3 +32,6 @@ The client also uses a group with an empty descriptor for storing local transpor * In the groups shared with contacts, all local messages are shared. * In the unshared group, no messages are shared. +### Security properties + +Confidentiality, integrity and authenticity are provided by the transport security layer ([BTP](/protocols/BTP.md)). Messages are repudiable, but this is not a security goal and may change in future versions of the client. -- GitLab