... | ... | @@ -4,7 +4,7 @@ The following model is informed by the Trike methodology. Threats are generated |
|
|
|
|
|
To keep the model tractable, the following aspects have been excluded:
|
|
|
* Traffic analysis of transports designed to be unlinkable, such as Tor
|
|
|
* Analysis of the social graph, such as finding nodes with high degree or high centrality
|
|
|
* Analysis of the social graph, such as finding nodes with a high degree or high centrality
|
|
|
* Aggregate metadata, such as the number of messages in a group or volume of traffic between two users
|
|
|
* Intersection attacks (and related statistical attacks) to link users with nyms
|
|
|
|
... | ... | @@ -13,7 +13,7 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
#### In scope
|
|
|
|
|
|
* Briar Android app
|
|
|
* Tor, Bluetooth and LAN transports
|
|
|
* Tor, Bluetooth, and LAN transports
|
|
|
* Single nym per user
|
|
|
* Single device per user
|
|
|
* Creating an account and a nym
|
... | ... | @@ -87,6 +87,8 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
* A nym's participation in a group
|
|
|
* Which user owns a nym
|
|
|
* Which nyms a user owns
|
|
|
* The fact that Briar is running on the user's device
|
|
|
* The fact that the user has a Briar account
|
|
|
|
|
|
### Adversaries
|
|
|
|
... | ... | @@ -193,7 +195,7 @@ Capabilities: |
|
|
13. Number of two nyms' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the nyms and the number is zero (account creation)
|
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to increment if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice is owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Update: Allowed to increment if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
|
14. Identities of a nym's contacts
|
|
|
* Create: Allowed if Alice owns the nym and the set of contacts is empty (account creation)
|
... | ... | @@ -241,6 +243,8 @@ Capabilities: |
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
10. The fact that users have Briar accounts and are running Briar
|
|
|
* Read: Possible to observe users adding each other as contacts via the local network
|
|
|
|
|
|
#### Attacker: Rex, a remote network attacker
|
|
|
|
... | ... | @@ -307,13 +311,13 @@ Phil can sign into Alice's account if: |
|
|
* Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
13. Number of two nyms' mutual contacts
|
|
|
* Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice ,if Phil observes Alice using the app
|
|
|
* Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
14. Nyms of a nym's contacts
|
|
|
* Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
15. Nyms of two nyms' mutual contacts
|
|
|
* Read: Possible using the rules for reading the identities of two users' mutual contacts , the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
* Read: Possible using the rules for reading the identities of two users' mutual contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
16. A nym's participation in a group
|
|
|
* Read: Possible if Phil observes the nym's owner using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
... | ... | |