[taler-anastasis] branch master updated: polish introduction

[gnunet]

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository anastasis.

The following commit(s) were added to refs/heads/master by this push:
     new 920e194  polish introduction
920e194 is described below

commit 920e194efb84c31967f146b9b0956d5662bca5a1
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Sat Jun 6 23:02:50 2020 +0200

    polish introduction
---
 doc/thesis/introduction.tex | 229 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 172 insertions(+), 57 deletions(-)

diff --git a/doc/thesis/introduction.tex b/doc/thesis/introduction.tex
index bd1c859..cd3e29a 100644
--- a/doc/thesis/introduction.tex
+++ b/doc/thesis/introduction.tex
@@ -1,50 +1,67 @@
 \section{Introduction}
 
-Secure storage of private cryptographic keys or in general every kind
-of core secret is a big problem.
-
-But how should one create and manage such a backup of a key? It
-certainly makes no sense to encrypt a key with a different password
-and then use the result as a backup. After all, this password can also
-be forgotten. Apart from that, the question arises how or where to
-save such a backup. A simple storage on e.g. Google Drive bears
-several risks: On the one hand, we are talking about Google, a company
-that is known to cooperate with certain authorities, and on the other
-hand, the cloud storage may be synchronized on several devices, to
-which someone else could possibly gain access. Unfortunately, to the
-best of our knowledge, there is no backup solution for keys that works
-password-less while giving the user complete control over his data.
-
-
-
-Most current key management systems
-just reduce the problem of memorizing a high-entropy passphrase or key
-to memorizing a low-entropy passphrase. This of course cannot be the
-solution because you undermine the whole security of a cryptographic
-system using such solutions. Key management systems have to deal with
-the question, how to store a key. Keys are used to encrypt high
-sensitive personal data and therefore they must be kept safely. Only
-the legitimated owner of a key should have the possibility to recover
-a lost key. Most people have difficulties memorizing a high-entropy
-passphrase and therefore tend to use low-entropy passphrases. That is
-why you can't rely on memorizing a password which is needed to recover
-a key. We have a software solution for the described problem. We call
-our solution ``Anastasis'' which is a term for the prognosis of
-full recovery in medicine.
+Keys are used to encrypt high sensitive personal data and therefore
+they must be kept safely.  Secure storage of private keys is known to
+be a difficult problem --- especially for end-users with limited
+skills in system administration and insufficiently redundant hardware.
+A central objective for any solution is that only the legitimated
+owner of a key must have the possibility to recover a lost key.
+
+But how can one create a confidential backup of a key? It certainly
+makes no sense to encrypt a key with a different password and then use
+the result as a backup. After all, this merely shifts the problem from
+the original key to the password, which is bascially yet another key.
+So simply encrypting the key is not helpful.  But without encryption,
+any copy of a key increases availability, but also the risk of the
+key's confidentiality being compromised.
+
+Most people have difficulties memorizing a high-entropy
+passphrase. Hence, existing key management ``solutions'' often reduce
+the problem of memorizing one or more high-entropy passphrases or keys
+to memorizing a single low-entropy passphrase. This is not a good
+solution, as the low-entropy passphrase undermines security.
+
+In this thesis, we describe a software solution for the described
+problem using secret splitting.  We call our solution ``Anastasis'',
+which is a medical term for the prognosis of full recovery.  We will
+call the information that Anastasis allows the user to recover their
+{\em core secret}.
 
 \subsection{Principles}
-For Anastasis we have following design principles, in order of importance:
+
+For Anastasis we have following design objectives, in order of importance:
+
 \begin{enumerate}
-       \item Anastasis must be Free Software.
-       \item Anastasis must not rely on the trustworthiness of individual 
providers. It must be possible to use Anastasis safely even if an individual 
provider is compromised. Anastasis must minimize the amount of information 
exposed to providers and the network.
-       \item The user is in control.
-       \item The system must be economical viable to operate. This implies 
usability and efficiency of the system.
-       \item Anastasis must support a diverse range of use cases.
+ \item Anastasis must be Free Software. Everyone must have the right to
+   run the program, study the source code, make modifications and share
+   their modifications with others.
+ \item Anastasis must not rely on the trustworthiness of individual providers.
+   It must be possible to use Anastasis safely, even if a subset of the
+   providers is malicious. Anastasis must minimize the amount of information
+   exposed to providers and the network.
+ \item Anastasis must put the user in control: They get to decide which
+   providers to use, and which combinations of authentication steps will
+   be required to restore their core secret. The core secret always remains 
exclusively
+   under the user's control, even during recovery.
+ \item Anastasis must be economical viable to operate. This implies usability
+   and efficiency of the system.
+ \item Anastasis must support a diverse range of use cases.
 \end{enumerate}
 
-\subsection{Approaches}
+
+\subsection{Approach}
+
 \subsubsection*{Secret sharing and recovery}
-Our approach to solve the problem of key management is to let the user split 
their secret across multiple escrow providers (see 
figure~\ref{fig:system_arch2}). To restore the secret again, the user has to 
follow standard authentication procedures. After successful authentication the 
user gets the secret shares to reassemble the secret.
+
+Our approach to solve the problem of key recovery is to let the user
+split their core secret across multiple escrow providers (see
+Figure~\ref{fig:system_arch2}). To recover their core secret, the user has to
+authorize key the recovery, usually by passing an authentication check
+which they configured for the respective provider.
+
+After successful authentication the user receives the secret shares
+and is able to reassemble their core secret locally on their computer.
+
 \begin{figure}[H]
 \centering
 \includegraphics[scale=0.33]{images/system-architecture_2.png}
@@ -53,35 +70,89 @@ Our approach to solve the problem of key management is to 
let the user split the
 \end{figure}
 
 \subsubsection*{Derive user identifier}
-Every person has some hard to guess, semi-private and unforgettably inherent 
attributes such as name and passport number, social security number or AHV 
number (in Switzerland). We use those attributes to derive an user identifier 
from (see figure~\ref{fig:user_id}).
+
+Every person has some hard to guess, semi-private and unforgettable
+inherent attributes such as name and passport number, social security
+number or AHV number (in Switzerland).  We use those attributes to
+improve the security and privacy provided by of Anastasis.  Basically,
+these attributes serve as weak key material, raising the bar for
+attackers without the availability disadvantages of passphrases ---
+which users may forget.  Anastasis derives a ``user identifier'' from
+such a set of unforgettable attributes (see Figure~\ref{fig:user_id}).
+
 \begin{figure}[H]
 \centering
 \includegraphics[scale=0.3]{images/user_id.png}
-\caption{Derivation of user identifier}
+\caption{Derivation of a user identifier}
 \label{fig:user_id}
 \end{figure}
 
+\subsubsection*{Encrypt and encrypt and encrypt}
+
+Anastasis uses several layers of encryption. First, the user's core
+secret is encrypted with a master key. The master key is encrypted
+with various policy keys. The policy keys are derived from various
+secrets which are encrypted and distributed across various providers
+together with information about the desired recovery authorization
+procedure. This last encryption is done based on keys derived from the
+user identify.  These many layers of encryption are designed to
+distribute trust and to minimize or delay information disclosure.
+
+\subsubsection*{Private payments are integrated}
+
+The Anastasis protocol includes provisions for privacy-preserving
+electronic payments to the service providers, as well as resource
+limitations to protect service providers against resource exhaustion
+attacks.  This ensures that it should be possible to operate the
+service commercially.
+
+
 \subsection{Use cases}
-There are several applications which are in need of a key escrow system like 
Anastasis. Some of them shall be introduced in this section.
+
+There are several applications which are in need of a key escrow
+system like Anastasis. Some of them shall be introduced in this
+section.
 
 \subsubsection{Encrypted email communication}
-\subsubsection*{PGP}
-For email encryption using Pretty Good Privacy (PGP)~\cite{garfinkel1995} you 
need a private key which is stored to the device running PGP. Losing the PGP 
private key means following: All received emails which are encrypted with a key 
derived from the private key are unreadable and you need to build your trust 
network again. Because emails could contain high sensitive information, it is 
necessary to be able to store the PGP private key securely.
 
-\subsubsection*{p\equiv p}
-Pretty Easy privacy (short p\equiv p) is "a cyber security solution which 
protects the confidentiality and reliability of communications for citizens, 
for public offices and for enterprises"~\cite{pepdoc}. It secures communication 
via email by providing an end-to-end cryptography. For this the software uses a 
private key. The impact of losing the private key is similar to those of PGP.\\
+For email encryption using Pretty Good Privacy
+(PGP)~\cite{garfinkel1995} users need a private key which is typically
+stored on the device running PGP.  PGP uses a ``Web of trust'' to
+establish the authenticity of keys.
+
+Pretty Easy privacy (short p\equiv p) is ``a cyber security solution
+which protects the confidentiality and reliability of communications
+for citizens, for public offices and for
+enterprises''~\cite{pepdoc}. It secures communication via email by
+providing end-to-end encryption similar to PGP.  A major difference is
+that p\equiv p uses opportunistic encryption and so-called trustwords
+to etablish authenticity to avoid usability and privacy problems
+associated with the ``Web of trust''.
+
+The impact of losing control over the private key is similar in both
+systems:
+
+\begin{itemize}
+  \item If the private key becomes unavailable, all emails which were
+encrypted to that key become unreadable. Furthermore, the user would
+likely need to rebuild their ``Web of trust''.
+  \item If the private key is
+disclosed to an adversary, they might be able to decrypt that user's
+encrypted emails -- which may go back years and could include highly
+sensitive information.  An adversary could also use the private key
+to send cryptographically signed emails pretending to be the user.
+\end{itemize}
+
 
 \subsubsection{Digital currencies and payment solutions}
-\subsubsection*{Bitcoin}
 
 Another application relying on a core secret are cryptocurrencies like
-Bitcoin. Each user of Bitcoin needs a so called Wallet which stores
+Bitcoin. Each user of Bitcoin needs an electronic wallet which stores
 and protects the private keys of the user. Those private keys
 legitimate its owners to spend the bitcoins corresponding to the
 keys~\cite{LLLW*2017}.
 
-
-Loosing Bitcoin wallet keys means losing all the corresponding
+Loosing Bitcoin wallet keys means losing all of the corresponding
 Bitcoins.  The reader may be familiar with stories from the mass media
 about people who claim to have lost their key to their electronic
 wallet and therefore huge sums of
@@ -89,7 +160,8 @@ cryptocurrency~\cite{millions_lost}. Backup systems are 
essential to
 avoid such cases.
 
 The following graphic illustrates the keys used in Bitcoin
-wallets. In this case Anastasis would store the master key $m$:
+wallets. In this case, the core secret Anastasis would store
+is the ``master key'' $m$:
 
 \begin{figure}[H]
        \centering
@@ -98,12 +170,55 @@ wallets. In this case Anastasis would store the master key 
$m$:
        \label{fig:bitcoin_keys}
 \end{figure}
 
-\subsubsection*{Taler}
-Taler is a new electronic instant payment system for privacy-friendly online 
transactions. Their digital wallets are storing electronic coins and are 
protected with a private key which loss means losing all the money stored in 
the wallet. Therefor the ECB (European Central Bank) informed Taler Systems SA 
about the requirement for electronic wallets denominated in Euros to support 
password-less data recovery. From this impulse the project Anastasis was 
finally born.
+GNU Taler is a new electronic instant payment system for
+privacy-friendly online transactions. The GNU Taler digital wallets are
+storing electronic coins, and backups are protected with a key.
+Loosing the backup key means losing all the money stored in the wallet,
+as well as the transaction history kept in the wallet.
+
+The European Central Bank (ECB) informally informed Taler Systems SA
+about the requirement for electronic wallets denominated in Euros to
+support password-less data recovery to ensure users would not loose
+their electronic funds if their device were to be damaged or lost.
+
+This was the key impulse which motivated us to create Anastasis,
+with the goal of enabling recovery of GNU Taler's backup keys via
+Anastasis.
+
+
+\subsubsection{Password managers}
+
+To avoid using low-entropy passwords and password reuse, some people
+use software password managers like
+KeePass\footnote{\url{https://keepass.info/}}. Such password managers
+relieve you of the burden of remembering many passwords and in most
+cases allow the generation of high-entropy passwords.
+
+The user only has to remember the password for the password
+manager. However, as discussed before, this is still a major problem:
+\begin{itemize}
+  \item On the one hand, users could use an insecure, easy to
+remember password. In this case, an adversary gaining control
+over the password manager's database could break into all systems
+secured by keys managed by the password manager.
+\item On the other hand, users could use a complex, high-entropy
+  passphrase.  However, if that passphrase is forgotten, users
+  face the loss of all passwords and thus also all online
+  services that the password manager controlled for them.
+\end{itemize}
+
+Anastasis can be used to enable recovery of strong passphrases,
+such as those that should be used to secure password managers.
 
-\subsubsection{Password manager}
-To avoid using low-entropy passwords and password reuse some people use 
software password managers like KeePass\footnote{\url{https://keepass.info/}}. 
Those password managers relieve you of the burden of remembering many passwords 
and in most cases allow the generation of high-entropy passwords. The user only 
has to remember the password for the password manager. And this exactly is the 
problem: On the one hand, many users will tend to use an insecure, easy to 
remember password even in t [...]
-Anastasis can store the passwords for password managers.
 
 \subsubsection{Hard drive encryption}
-Many companies need to backup high sensitive data to be able to recover them 
in an emergency case. Those backups are often stored at external hard drives 
which are encrypted using software like BitLocker~\cite{bitlocker}. For 
encryption and decryption of the hardware additionally to the Trusted Platform 
Module (TPM)~\cite{bajikar2002} of the computer or a key file often a password 
is needed. In case of loosing a key file or a password, Anastasis can save from 
data loss.
+
+Data at rest is often protected using (full) drive encryption, for
+example using software like
+LUKS~\footnote{\url{https://guardianproject.info/archive/luks/}}.  For
+encryption and decryption of the drive a combination of key files,
+passphrasea and Trusted Platform Modules (TPMs)~\cite{bajikar2002} are
+used.
+
+Anastasis can be used to backup and restore such key files or
+passphrases.

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.