barry/ZKAC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ZKAC/docs/SECURITY.md
everbarry 5946b69c8b v bump
2026-05-06 17:47:35 +02:00

3.5 KiB
Raw Blame History

Security model (ZKAC 0.7.1)

This document summarizes the direct peer-to-peer grant model, with transcript-bound BBS+ authorization (Option C).

Goals

  • MITM-safe transport using transcript-bound authentication.
  • Anonymous-authorized grant sender: recipient verifies sender is a valid admin for the target registry, without requiring a stable sender identifier.
  • End-to-end credential confidentiality from sender to recipient.
  • Replay and downgrade resistance on the encrypted transport channel.

Cryptographic components

  • Transport: X25519 ephemeral DH, HKDF-SHA256, ChaCha20-Poly1305.
  • Identity proofing: Schnorr signatures on Ristretto255 over session transcript.
  • Authorization proofs: BBS+ presentations over BLS12-381.
  • Registry integrity: certified RegistryState with BBS+ admin proof checks.
  • Grant payload encryption: X25519 + HKDF-SHA256 + ChaCha20-Poly1305 issuance envelope.
    • The issuance envelope format is nonce || ciphertext where nonce is a random 96-bit value generated per message.
    • KDF context is direction-separated (user->admin vs admin->user) to avoid cross-direction key reuse.

Direct p2p grant flow

  1. Sender and recipient establish an encrypted peer session.
  2. Sender prepares a blind-issued credential payload for recipient and encrypts it with recipient issuance key material.
  3. Sender transmits:
    • encrypted payload,
    • certified registry state snapshot,
    • transcript-bound admin BBS+ proof.
  4. Recipient verifies:
    • registry state certificate,
    • restored registry ID matches the announced outer registry_id,
    • admin proof bound to current session transcript.
  5. Recipient decrypts payload and enforces binding checks:
    • payload registry_id equals authenticated outer registry_id,
    • payload role matches announced role metadata,
    • reconstructed credential verifies against the certified registry state (verify_presentation) before storage.
  6. Recipient stores credential only after all checks pass.

Threat model

  • Passive network attacker:
    • Cannot recover plaintext or keys without breaking X25519/ChaCha20-Poly1305 assumptions.
  • Active MITM:
    • Cannot relay proofs across sessions because authorization proof nonce is session transcript hash.
    • Cannot impersonate peer without required long-term key/proof material.
  • Malicious sender without admin credential:
    • Rejected during transcript-bound BBS+ admin verification.
  • Malicious recipient:
    • Can only decrypt payloads addressed to its issuance key.
  • Replay:
    • Rejected by session replay protections (monotonic counter + replay window).

Security properties and limits

  • anonymous_authorized mode:
    • Recipient learns sender is authorized for the registry, not a mandatory stable real-world identity.
    • Network metadata (IP/endpoint timing) is still visible to direct peers.
  • Grant-context binding:
    • Recipient rejects grants where outer authenticated context and inner decrypted payload disagree.
    • Recipient rejects credential material that does not verify against the supplied certified registry state.
  • Registry freshness:
    • Recipient verifies cryptographic validity of received state; deployment policy should define freshness expectations.
  • Key management remains operationally critical:
    • Protect admin/BBS+ secret material and transport keys.

Operational guidance

  • Pin or verify peer transport keys out-of-band before first direct grant exchange.
  • Rotate compromised keys and re-issue credentials with epoch/state updates.
  • Do not log credential secrets, issuance secret keys, or raw proof material.