... | @@ -5,8 +5,8 @@ The following model is informed by the Trike methodology. Threats are generated |
... | @@ -5,8 +5,8 @@ The following model is informed by the Trike methodology. Threats are generated |
|
To keep the model tractable, the following aspects have been excluded:
|
|
To keep the model tractable, the following aspects have been excluded:
|
|
* Traffic analysis of transports designed to be unlinkable, such as Tor
|
|
* Traffic analysis of transports designed to be unlinkable, such as Tor
|
|
* Analysis of the social graph, such as finding nodes with a high degree or high centrality
|
|
* Analysis of the social graph, such as finding nodes with a high degree or high centrality
|
|
* Aggregate metadata, such as the number of messages in a group or volume of traffic between two users
|
|
* Aggregate metadata, such as the number of messages in a group or the volume of traffic between two users
|
|
* Intersection attacks (and related statistical attacks) to link users with nyms
|
|
* Intersection attacks (and related statistical attacks) to link users or Briar identities with other users or Briar identities
|
|
|
|
|
|
### Scope
|
|
### Scope
|
|
|
|
|
... | @@ -14,9 +14,9 @@ To keep the model tractable, the following aspects have been excluded: |
... | @@ -14,9 +14,9 @@ To keep the model tractable, the following aspects have been excluded: |
|
|
|
|
|
* Briar Android app
|
|
* Briar Android app
|
|
* Tor, Bluetooth, and LAN transports
|
|
* Tor, Bluetooth, and LAN transports
|
|
* Single nym per user
|
|
* Single Briar identity per user
|
|
* Single device per user
|
|
* Single device per user
|
|
* Creating an account and a nym
|
|
* Creating a Briar identity
|
|
* Adding contacts via QR codes
|
|
* Adding contacts via QR codes
|
|
* Introductions
|
|
* Introductions
|
|
* Proposing/accepting/declining introductions
|
|
* Proposing/accepting/declining introductions
|
... | @@ -39,21 +39,13 @@ To keep the model tractable, the following aspects have been excluded: |
... | @@ -39,21 +39,13 @@ To keep the model tractable, the following aspects have been excluded: |
|
#### Out of scope
|
|
#### Out of scope
|
|
|
|
|
|
* Briar desktop app
|
|
* Briar desktop app
|
|
* File, modem and WAN transports
|
|
* Removable drive transport
|
|
* Multi-block messages
|
|
|
|
* Attachments
|
|
* Attachments
|
|
* Private groups
|
|
* Private groups
|
|
* Multiple nyms per user
|
|
* Multiple Briar identities per user
|
|
* Multiple devices per user
|
|
* Multiple devices per user
|
|
* Adding contacts via Bluetooth discovery
|
|
|
|
* Verifying introduced contacts
|
|
|
|
* Anonymous forum posts
|
|
|
|
* Panic button
|
|
* Panic button
|
|
* Enabling/disabling transports
|
|
* Enabling/disabling transports
|
|
* Account backup and recovery
|
|
|
|
* Update mechanism
|
|
|
|
* Repeaters
|
|
|
|
* Other Bramble apps
|
|
|
|
* OS/hardware compromise
|
|
* OS/hardware compromise
|
|
|
|
|
|
### Actors
|
|
### Actors
|
... | @@ -77,18 +69,20 @@ To keep the model tractable, the following aspects have been excluded: |
... | @@ -77,18 +69,20 @@ To keep the model tractable, the following aspects have been excluded: |
|
* Number of two users' mutual contacts
|
|
* Number of two users' mutual contacts
|
|
* Identities of a user's contacts
|
|
* Identities of a user's contacts
|
|
* Identities of two users' mutual contacts
|
|
* Identities of two users' mutual contacts
|
|
* A user's participation in a group
|
|
* A user's membership in a group
|
|
* Social graph of nyms:
|
|
* Social graph of Briar identities:
|
|
* Existence of a contact relationship between two nyms
|
|
* Existence of a contact relationship between two Briar identities
|
|
* Number of a nym's contacts
|
|
* Number of a Briar identity's contacts
|
|
* Number of two nyms' mutual contacts
|
|
* Number of two Briar identities' mutual contacts
|
|
* Identities of a nym's contacts
|
|
* Identities of a Briar identity's contacts
|
|
* Identities of two nyms' mutual contacts
|
|
* Identities of two Briar identities' mutual contacts
|
|
* A nym's participation in a group
|
|
* A Briar identity's membership in a group
|
|
* Which user owns a nym
|
|
* Which user owns a given Briar identity
|
|
* Which nyms a user owns
|
|
* Which Briar identities a given user owns
|
|
* The fact that Briar is running on the user's device
|
|
* Which device a given Briar identity is stored on
|
|
* The fact that the user has a Briar account
|
|
* Which Briar identity is stored on a given device
|
|
|
|
* The fact that Briar is running on a given device
|
|
|
|
* The fact that a given user has a Briar identity
|
|
|
|
|
|
### Adversaries
|
|
### Adversaries
|
|
|
|
|
... | @@ -105,7 +99,7 @@ Capabilities: |
... | @@ -105,7 +99,7 @@ Capabilities: |
|
|
|
|
|
Capabilities:
|
|
Capabilities:
|
|
* RF monitoring
|
|
* RF monitoring
|
|
* Uplink monitoring
|
|
* Internet uplink monitoring
|
|
* Location monitoring
|
|
* Location monitoring
|
|
* Blocking/modifying communication streams
|
|
* Blocking/modifying communication streams
|
|
* Malware installation via network
|
|
* Malware installation via network
|
... | @@ -114,8 +108,8 @@ Capabilities: |
... | @@ -114,8 +108,8 @@ Capabilities: |
|
|
|
|
|
Capabilities:
|
|
Capabilities:
|
|
* RF monitoring
|
|
* RF monitoring
|
|
* Uplink monitoring
|
|
* Internet uplink monitoring
|
|
* Backbone monitoring
|
|
* Internet backbone monitoring
|
|
* Location monitoring
|
|
* Location monitoring
|
|
* Blocking/modifying communication streams
|
|
* Blocking/modifying communication streams
|
|
* Malware installation via network
|
|
* Malware installation via network
|
... | @@ -125,8 +119,8 @@ Capabilities: |
... | @@ -125,8 +119,8 @@ Capabilities: |
|
Capabilities:
|
|
Capabilities:
|
|
* Physical surveillance
|
|
* Physical surveillance
|
|
* Accessing device/app while signed in
|
|
* Accessing device/app while signed in
|
|
* Coercing device/app sign in
|
|
* Coercing user to sign into device/app
|
|
* Taking image of device
|
|
* Taking images of device (filesystem, RAM, screenshots)
|
|
* Malware installation via physical access
|
|
* Malware installation via physical access
|
|
|
|
|
|
### Intended actions
|
|
### Intended actions
|
... | @@ -179,49 +173,49 @@ Capabilities: |
... | @@ -179,49 +173,49 @@ Capabilities: |
|
* Delete: Allowed if Alice is one of the users (account deletion)
|
|
* Delete: Allowed if Alice is one of the users (account deletion)
|
|
10. A user's participation in a group
|
|
10. A user's participation in a group
|
|
* Create: Allowed if Alice is the user, and either Alice created the group or the group has ever been shared with Alice
|
|
* Create: Allowed if Alice is the user, and either Alice created the group or the group has ever been shared with Alice
|
|
* Read: Allowed if Alice is the user. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the user's nym is sent to the group, following the rules for reading the metadata of a message and reading which user owns a nym
|
|
* Read: Allowed if Alice is the user. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the user's Briar identity is sent to the group, following the rules for reading the metadata of a message and reading which user owns a Briar identity
|
|
* Update: Disallowed
|
|
* Update: Disallowed
|
|
* Delete: Allowed if Alice is the user
|
|
* Delete: Allowed if Alice is the user
|
|
11. Existence of a contact relationship between two nyms:
|
|
11. Existence of a contact relationship between two Briar identities:
|
|
* Create: Allowed if Alice owns one of the nyms and the other owner agrees (contact creation/introduction)
|
|
* Create: Allowed if Alice owns one of the Briar identities and the other owner agrees (contact creation/introduction)
|
|
* Read: Allowed if Alice owns one of the nyms. Allowed if Alice and the owners form an introduction triad. Allowed if Alice is a contact of one of the owners, and that user proposes an introduction between Alice and the other owner
|
|
* Read: Allowed if Alice owns one of the Briar identities. Allowed if Alice and the owners form an introduction triad. Allowed if Alice is a contact of one of the owners, and that user proposes an introduction between Alice and the other owner
|
|
* Update: Disallowed (verifying contacts is out of scope)
|
|
* Update: Disallowed (verifying contacts is out of scope)
|
|
* Delete: Allowed if Alice owns one of the nyms (contact deletion)
|
|
* Delete: Allowed if Alice owns one of the Briar identities (contact deletion)
|
|
12. Number of a nym's contacts
|
|
12. Number of a Briar identity's contacts
|
|
* Create: Allowed if Alice owns the nym and the number is zero (account creation)
|
|
* Create: Allowed if Alice owns the Briar identity and the number is zero (account creation)
|
|
* Read: Allowed if Alice owns the nym. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed to read a lower bound using the rules for reading the existence of a contact relationship between Briar identities
|
|
* Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between nyms
|
|
* Update: Allowed to increment/decrement using the rules for creating/deleting a contact relationship between Briar identities
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
13. Number of two nyms' mutual contacts
|
|
13. Number of two Briar identities' mutual contacts
|
|
* Create: Allowed if Alice owns one of the nyms and the number is zero (account creation)
|
|
* Create: Allowed if Alice owns one of the Briar identities and the number is zero (account creation)
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between nyms
|
|
* Read: Allowed to read a lower bound using the rules for reading the existence of a contact relationship between Briar identities
|
|
* Update: Allowed to increment if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
* Update: Allowed to increment if Alice owns one of the Briar identities, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to decrement if Alice owns one of the Briar identities, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
* Delete: Allowed if Alice owns one of the Briar identities (account deletion)
|
|
14. Identities of a nym's contacts
|
|
14. Identities of a Briar identity's contacts
|
|
* Create: Allowed if Alice owns the nym and the set of contacts is empty (account creation)
|
|
* Create: Allowed if Alice owns the Briar identity and the set of contacts is empty (account creation)
|
|
* Read: Allowed if Alice owns the nym. Allowed to read a subset using the rules for reading the existence of a contact relationship between nyms
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed to read a subset using the rules for reading the existence of a contact relationship between Briar identities
|
|
* Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between nyms
|
|
* Update: Allowed to add/subtract using the rules for creating/deleting a contact relationship between Briar identities
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
15. Identities of two nyms' mutual contacts
|
|
15. Identities of two Briar identities' mutual contacts
|
|
* Create: Allowed if Alice owns one of the nyms and the set of mutual contacts is empty (account creation)
|
|
* Create: Allowed if Alice owns one of the Briar identities and the set of mutual contacts is empty (account creation)
|
|
* Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between nyms
|
|
* Read: Allowed to read a subset using the rules for reading the existence of a contact relationship between Briar identities
|
|
* Update: Allowed to add if Alice owns one of the nyms, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice owns one of the nyms, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
* Update: Allowed to add if Alice owns one of the Briar identities, and Alice is a contact of the other owner, and the other owner agrees, and the new mutual contact agrees (introduction). Allowed to subtract if Alice owns one of the Briar identities, and Alice and the other owner belong to an introduction triad (contact deletion)
|
|
* Delete: Allowed if Alice owns one of the nyms (account deletion)
|
|
* Delete: Allowed if Alice owns one of the Briar identities (account deletion)
|
|
16. A nym's participation in a group
|
|
16. A Briar identity's participation in a group
|
|
* Create: Allowed if Alice owns the nym, and either Alice created the group or the group has ever been shared with Alice
|
|
* Create: Allowed if Alice owns the Briar identity, and either Alice created the group or the group has ever been shared with Alice
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the nym is sent to the group, following the rules for reading the metadata of a message
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed if Alice belongs to the group and the group is defined to have two members. Allowed if a message signed by the Briar identity is sent to the group, following the rules for reading the metadata of a message
|
|
* Update: Disallowed
|
|
* Update: Disallowed
|
|
* Delete: Allowed if Alice owns the nym
|
|
* Delete: Allowed if Alice owns the Briar identity
|
|
17. Which user owns a nym
|
|
17. Which user owns a Briar identity
|
|
* Create: Allowed if Alice is the user and the nym is being created (account creation)
|
|
* Create: Allowed if Alice is the user and the Briar identity is being created (account creation)
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice is a contact of the owner
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed if Alice is a contact of the owner
|
|
* Update: Disallowed
|
|
* Update: Disallowed
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
18. Which nym a user owns
|
|
18. Which Briar identity a user owns
|
|
* Create: Allowed if Alice is the user and the nym is being created (account creation)
|
|
* Create: Allowed if Alice is the user and the Briar identity is being created (account creation)
|
|
* Read: Allowed if Alice owns the nym. Allowed if Alice is a contact of the owner
|
|
* Read: Allowed if Alice owns the Briar identity. Allowed if Alice is a contact of the owner
|
|
* Update: Disallowed
|
|
* Update: Disallowed
|
|
* Delete: Allowed if Alice owns the nym (account deletion)
|
|
* Delete: Allowed if Alice owns the Briar identity (account deletion)
|
|
|
|
|
|
### Threats
|
|
### Threats
|
|
|
|
|
... | @@ -243,7 +237,7 @@ Capabilities: |
... | @@ -243,7 +237,7 @@ Capabilities: |
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
9. Identities of two users' mutual contacts
|
|
9. Identities of two users' mutual contacts
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users
|
|
10. The fact that users have Briar accounts and are running Briar
|
|
10. The fact that users have Briar identities and are running Briar
|
|
* Read: Possible to observe users adding each other as contacts via the local network
|
|
* Read: Possible to observe users adding each other as contacts via the local network
|
|
|
|
|
|
#### Attacker: Rex, a remote network attacker
|
|
#### Attacker: Rex, a remote network attacker
|
... | @@ -287,7 +281,7 @@ Phil can sign into Alice's account if: |
... | @@ -287,7 +281,7 @@ Phil can sign into Alice's account if: |
|
* Phil can brute-force the account credentials
|
|
* Phil can brute-force the account credentials
|
|
|
|
|
|
5. Existence of a contact relationship between two users
|
|
5. Existence of a contact relationship between two users
|
|
* Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice using the app
|
|
* Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a Briar identity, if Phil observes Alice using the app
|
|
|
|
|
|
6. Number of a user's contacts
|
|
6. Number of a user's contacts
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, if Phil observes Alice using the app
|
... | @@ -296,7 +290,7 @@ Phil can sign into Alice's account if: |
... | @@ -296,7 +290,7 @@ Phil can sign into Alice's account if: |
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible to read a lower bound using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible to read a lower bound using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
8. Identities of a user's contacts
|
|
8. Identities of a user's contacts
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice using the app
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a Briar identity, if Phil observes Alice using the app
|
|
|
|
|
|
9. Identities of two users' mutual contacts
|
|
9. Identities of two users' mutual contacts
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible to read a subset using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible to read a subset using the rules for Alice, if Phil observes Alice using the app
|
... | @@ -304,26 +298,26 @@ Phil can sign into Alice's account if: |
... | @@ -304,26 +298,26 @@ Phil can sign into Alice's account if: |
|
10. A user's participation in a group
|
|
10. A user's participation in a group
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
11. Existence of a contact relationship between two nyms:
|
|
11. Existence of a contact relationship between two Briar identities:
|
|
* Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
12. Number of a nym's contacts
|
|
12. Number of a Briar identity's contacts
|
|
* Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
13. Number of two nyms' mutual contacts
|
|
13. Number of two Briar identities' mutual contacts
|
|
* Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a Briar identity. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
14. Nyms of a nym's contacts
|
|
14. Briar identities of a Briar identity's contacts
|
|
* Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a Briar identity, and the rules for reading which Briar identity a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
15. Nyms of two nyms' mutual contacts
|
|
15. Briar identities of two Briar identities' mutual contacts
|
|
* Read: Possible using the rules for reading the identities of two users' mutual contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible using the rules for reading the identities of two users' mutual contacts, the rules for reading which user owns a Briar identity, and the rules for reading which Briar identity a user owns. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
16. A nym's participation in a group
|
|
16. A Briar identity's participation in a group
|
|
* Read: Possible if Phil observes the nym's owner using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible if Phil observes the Briar identity's owner using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
17. Which user owns a nym
|
|
17. Which user owns a Briar identity
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app
|
|
|
|
|
|
18. Which nym a user owns
|
|
18. Which Briar identity a user owns
|
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app |
|
* Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app |