... | ... | @@ -5,8 +5,8 @@ The following model is informed by the Trike methodology. Threats are generated |
|
|
To keep the model tractable, the following aspects have been excluded:
|
|
|
* Traffic analysis of transports designed to be unlinkable, such as Tor
|
|
|
* Analysis of the social graph, such as finding nodes with a high degree or high centrality
|
|
|
* Aggregate metadata, such as the number of messages in a group or volume of traffic between two users
|
|
|
* Intersection attacks (and related statistical attacks) to link users with nyms
|
|
|
* Aggregate metadata, such as the number of messages in a group or the volume of traffic between two users
|
|
|
* Intersection attacks (and related statistical attacks) to link users or Briar identities with other users or Briar identities
|
|
|
|
|
|
### Scope
|
|
|
|
... | ... | @@ -14,9 +14,9 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
|
|
|
* Briar Android app
|
|
|
* Tor, Bluetooth, and LAN transports
|
|
|
* Single nym per user
|
|
|
* Single Briar identity per user
|
|
|
* Single device per user
|
|
|
* Creating an account and a nym
|
|
|
* Creating a Briar identity
|
|
|
* Adding contacts via QR codes
|
|
|
* Introductions
|
|
|
* Proposing/accepting/declining introductions
|
... | ... | @@ -39,21 +39,13 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
#### Out of scope
|
|
|
|
|
|
* Briar desktop app
|
|
|
* File, modem and WAN transports
|
|
|
* Multi-block messages
|
|
|
* Removable drive transport
|
|
|
* Attachments
|
|
|
* Private groups
|
|
|
* Multiple nyms per user
|
|
|
* Multiple Briar identities per user
|
|
|
* Multiple devices per user
|
|
|
* Adding contacts via Bluetooth discovery
|
|
|
* Verifying introduced contacts
|
|
|
* Anonymous forum posts
|
|
|
* Panic button
|
|
|
* Enabling/disabling transports
|
|
|
* Account backup and recovery
|
|
|
* Update mechanism
|
|
|
* Repeaters
|
|
|
* Other Bramble apps
|
|
|
* OS/hardware compromise
|
|
|
|
|
|
### Actors
|
... | ... | @@ -77,18 +69,20 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
* Number of two users' mutual contacts
|
|
|
* Identities of a user's contacts
|
|
|
* Identities of two users' mutual contacts
|
|
|
* A user's participation in a group
|
|
|
* Social graph of nyms:
|
|
|
* Existence of a contact relationship between two nyms
|
|
|
* Number of a nym's contacts
|
|
|
* Number of two nyms' mutual contacts
|
|
|
* Identities of a nym's contacts
|
|
|
* Identities of two nyms' mutual contacts
|
|
|
* A nym's participation in a group
|
|
|
* Which user owns a nym
|
|
|
* Which nyms a user owns
|
|
|
* The fact that Briar is running on the user's device
|
|
|
* The fact that the user has a Briar account
|
|
|
* A user's membership in a group
|
|
|
* Social graph of Briar identities:
|
|
|
* Existence of a contact relationship between two Briar identities
|
|
|
* Number of a Briar identity's contacts
|
|
|
* Number of two Briar identities' mutual contacts
|
|
|
* Identities of a Briar identity's contacts
|
|
|
* Identities of two Briar identities' mutual contacts
|
|
|
* A Briar identity's membership in a group
|
|
|
* Which user owns a given Briar identity
|
|
|
* Which Briar identities a given user owns
|
|
|
* Which device a given Briar identity is stored on
|
|
|
* Which Briar identity is stored on a given device
|
|
|
* The fact that Briar is running on a given device
|
|
|
* The fact that a given user has a Briar identity
|
|
|
|
|
|
### Adversaries
|
|
|
|
... | ... | @@ -105,7 +99,7 @@ Capabilities: |
|
|
|
|
|
Capabilities:
|
|
|
* RF monitoring
|
|
|
* Uplink monitoring
|
|
|
* Internet uplink monitoring
|
|
|
* Location monitoring
|
|
|
* Blocking/modifying communication streams
|
|
|
* Malware installation via network
|
... | ... | @@ -114,8 +108,8 @@ Capabilities: |
|
|
|
|
|
Capabilities:
|
|
|
* RF monitoring
|
|
|
* Uplink monitoring
|
|
|
* Backbone monitoring
|
|
|
* Internet uplink monitoring
|
|
|
* Internet backbone monitoring
|
|
|
* Location monitoring
|
|
|
* Blocking/modifying communication streams
|
|
|
* Malware installation via network
|
... | ... | @@ -125,8 +119,8 @@ Capabilities: |
|
|
Capabilities:
|
|
|
* Physical surveillance
|
|
|
* Accessing device/app while signed in
|
|
|
* Coercing device/app sign in
|
|
|
* Taking image of device
|
|
|
* Coercing user to sign into device/app
|
|
|
* Taking images of device (filesystem, RAM, screenshots)
|
|
|
* Malware installation via physical access
|
|
|
|
|
|
### Intended actions
|
... | ... | @@ -179,49 +173,49 @@ Capabilities: |
|
|
* Delete: Allowed if Alice is one of the users (account deletion)
|
|
|
10. A user's participation in a group
|
|
|
* Create: Allowed if Alice is the user, and either Alice created the group or the group has ever been shared with Alice
|
|
|
* Read: Allowed if Alice is the user. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the user's nym is sent to the group, following the rules for reading the metadata of a message and reading which user owns a nym
|
|
|
* Read: Allowed if Alice is the user. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the user's Briar identity is sent to the group, following the rules for reading the metadata of a message and reading which user owns a Briar identity
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice is the user
|
|
|
11. Existence of a contact relationship between two nyms:
|
|
|
* Create: Allowed if Alice owns one of the nyms and the other owner agrees (contact creation/introduction)
|
|
|
* Read: Allowed if Alice owns one of the nyms. Allowed if Alice and the owners form an introduction triad. Allowed if Alice is a contact of one of the owners, and that user proposes an introduction between Alice and the other owner
|
|
|
11. Existence of a contact relationship between two Briar identities:
|
|
|
* Create: Allowed if Alice owns one of the Briar identities and the other owner agrees (contact creation/introduction)
|
|
|
* Read: Allowed if Alice owns one of the Briar identities. Allowed if Alice and the owners form an introduction triad. Allowed if Alice is a contact of one of the owners, and that user proposes an introduction between Alice and the other owner
|
|
|
* Update: Disallowed (verifying contacts is out of scope)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (contact deletion)
|
|
|
12. Number of a nym's contacts
|
|
|
* Create: Allowed if Alice owns the nym and the number is zero (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between nyms
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
13. Number of two nyms' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the nyms and the number is zero (account creation)
|
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to increment if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
|
14. Identities of a nym's contacts
|
|
|
* Create: Allowed if Alice owns the nym and the set of contacts is empty (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed to read a subset using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between nyms
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
15. Identities of two nyms' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the nyms and the set of mutual contacts is empty (account creation)
|
|
|
* Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between nyms
|
|
|
* Update: Allowed to add if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
|
16. A nym's participation in a group
|
|
|
* Create: Allowed if Alice owns the nym, and either Alice created the group or the group has ever been shared with Alice
|
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the nym is sent to the group, following the rules for reading the metadata of a message
|
|
|
* Delete: Allowed if Alice owns one of the Briar identities (contact deletion)
|
|
|
12. Number of a Briar identity's contacts
|
|
|
* Create: Allowed if Alice owns the Briar identity and the number is zero (account creation)
|
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between Briar identities
|
|
|
* Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between Briar identities
|
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
|
13. Number of two Briar identities' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the Briar identities and the number is zero (account creation)
|
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between Briar identities
|
|
|
* Update: Allowed to increment if Alice owns one of the Briar identities, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice owns one of the Briar identities, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the Briar identities (account deletion)
|
|
|
14. Identities of a Briar identity's contacts
|
|
|
* Create: Allowed if Alice owns the Briar identity and the set of contacts is empty (account creation)
|
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed to read a subset using the rules for reading the existence of a contact relationship between Briar identities
|
|
|
* Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between Briar identities
|
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
|
15. Identities of two Briar identities' mutual contacts
|
|
|
* Create: Allowed if Alice owns one of the Briar identities and the set of mutual contacts is empty (account creation)
|
|
|
* Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between Briar identities
|
|
|
* Update: Allowed to add if Alice owns one of the Briar identities, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice owns one of the Briar identities, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
|
* Delete: Allowed if Alice owns one of the Briar identities (account deletion)
|
|
|
16. A Briar identity's participation in a group
|
|
|
* Create: Allowed if Alice owns the Briar identity, and either Alice created the group or the group has ever been shared with Alice
|
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the Briar identity is sent to the group, following the rules for reading the metadata of a message
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice owns the nym
|
|
|
17. Which user owns a nym
|
|
|
* Create: Allowed if Alice is the user and the nym is being created (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice is a contact of the owner
|
|
|
* Delete: Allowed if Alice owns the Briar identity
|
|
|
17. Which user owns a Briar identity
|
|
|
* Create: Allowed if Alice is the user and the Briar identity is being created (account creation)
|
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed if Alice is a contact of the owner
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
18. Which nym a user owns
|
|
|
* Create: Allowed if Alice is the user and the nym is being created (account creation)
|
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice is a contact of the owner
|
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
|
18. Which Briar identity a user owns
|
|
|
* Create: Allowed if Alice is the user and the Briar identity is being created (account creation)
|
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed if Alice is a contact of the owner
|
|
|
* Update: Disallowed
|
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
|
|
|
|
### Threats
|
|
|
|
... | ... | @@ -243,7 +237,7 @@ Capabilities: |
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
|
10. The fact that users have Briar accounts and are running Briar
|
|
|
10. The fact that users have Briar identities and are running Briar
|
|
|
* Read: Possible to observe users adding each other as contacts via the local network
|
|
|
|
|
|
#### Attacker: Rex, a remote network attacker
|
... | ... | @@ -287,7 +281,7 @@ Phil can sign into Alice's account if: |
|
|
* Phil can brute-force the account credentials
|
|
|
|
|
|
5. Existence of a contact relationship between two users
|
|
|
* Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice using the app
|
|
|
* Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a Briar identity, if Phil observes Alice using the app
|
|
|
|
|
|
6. Number of a user's contacts
|
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, if Phil observes Alice using the app
|
... | ... | @@ -296,7 +290,7 @@ Phil can sign into Alice's account if: |
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible to read a lower bound using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
8. Identities of a user's contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice using the app
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a Briar identity, if Phil observes Alice using the app
|
|
|
|
|
|
9. Identities of two users' mutual contacts
|
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible to read a subset using the rules for Alice, if Phil observes Alice using the app
|
... | ... | @@ -304,26 +298,26 @@ Phil can sign into Alice's account if: |
|
|
10. A user's participation in a group
|
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
11. Existence of a contact relationship between two nyms:
|
|
|
* Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
11. Existence of a contact relationship between two Briar identities:
|
|
|
* Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
12. Number of a nym's contacts
|
|
|
* Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
12. Number of a Briar identity's contacts
|
|
|
* Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
13. Number of two nyms' mutual contacts
|
|
|
* Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
13. Number of two Briar identities' mutual contacts
|
|
|
* Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
14. Nyms of a nym's contacts
|
|
|
* Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
14. Briar identities of a Briar identity's contacts
|
|
|
* Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a Briar identity, and the rules for reading which Briar identity a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
15. Nyms of two nyms' mutual contacts
|
|
|
* Read: Possible using the rules for reading the identities of two users' mutual contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
15. Briar identities of two Briar identities' mutual contacts
|
|
|
* Read: Possible using the rules for reading the identities of two users' mutual contacts, the rules for reading which user owns a Briar identity, and the rules for reading which Briar identity a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
16. A nym's participation in a group
|
|
|
* Read: Possible if Phil observes the nym's owner using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
16. A Briar identity's participation in a group
|
|
|
* Read: Possible if Phil observes the Briar identity's owner using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
17. Which user owns a nym
|
|
|
17. Which user owns a Briar identity
|
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
18. Which nym a user owns
|
|
|
18. Which Briar identity a user owns
|
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app |