... | ... | @@ -4,7 +4,7 @@ The following model is informed by the Trike methodology. Threats are generated |
|
|
|
|
|
To keep the model tractable, the following aspects have been excluded:
|
|
|
* Traffic analysis of transports designed to be unlinkable, such as Tor
|
|
|
* Analysis of the social graph, such as finding nodes with high degree or high centrality
|
|
|
* Analysis of the social graph, such as finding nodes with a high degree or high centrality
|
|
|
* Aggregate metadata, such as the number of messages in a group or volume of traffic between two users
|
|
|
* Intersection attacks (and related statistical attacks) to link users with nyms
|
|
|
|
... | ... | @@ -13,7 +13,7 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
#### In scope
|
|
|
|
|
|
* Briar Android app
|
|
|
* Tor, Bluetooth and LAN transports
|
|
|
* Tor, Bluetooth, and LAN transports
|
|
|
* Single nym per user
|
|
|
* Single device per user
|
|
|
* Creating an account and a nym
|
... | ... | @@ -87,6 +87,8 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
* A nym's participation in a group
|
|
|
* Which user owns a nym
|
|
|
* Which nyms a user owns
|
|
|
* The fact that Briar is running on the user's device
|
|
|
* The fact that the user has a Briar account
|
|
|
|
|
|
### Adversaries
|
|
|
|
... | ... | @@ -193,7 +195,7 @@ Capabilities: |
|
|
13. Number of two nyms' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the nyms and the number is zero (account creation)
|
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to increment if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice is owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Update: Allowed to increment if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
|
14. Identities of a nym's contacts
|
|
|
* Create: Allowed if Alice owns the nym and the set of contacts is empty (account creation)
|
... | ... | @@ -241,6 +243,8 @@ Capabilities: |
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
10. The fact that users have Briar accounts and are running Briar
|
|
|
* Read: Possible to observe users adding each other as contacts via the local network
|
|
|
|
|
|
#### Attacker: Rex, a remote network attacker
|
|
|
|
... | ... | |