Key management draft, should be revised
Condensation is based on fully distributed key management with ephemeral keys.
To start using Condensation, a user (or service) generates a key pair on its device. The public key is serialized and submitted to the user's Condensation stores, while the private key is stored on the device.
If the user owns multipled devices, this procedure is repeated on each device.
Each device then announces the list of all public keys and accounts on its public card. The device's own public key is usually at the top of this list:
Adding a new device
To add a device, a new key pair is generated on the new device, and added to all public cards of the user.
Note that the public cards are not consistent at all times. Since only the most recent card is used, this is not a problem.
Removing a device
To remove a device, its key is is removed from all public cards, and its private key is destroyed.
The old public card is left in place for some time, so that any key discovery starting with this account is redirected to the new set of devices.
To discover the public keys of a user, it is necessary to know at least one account (store and hash). One then reads all public cards, picks the newest one, and extracts the new account list from there. This is repeated until no newer public card is found:
The keys on the most recent card are the current keys of the user.
Note that the initial account (or key) may not be part of the final list.
Since private keys only live as long as the device is part of a user, they are inherently ephemeral. Hence, Condensation is forward-secret to the frequency at which devices are replaced.
To increase this frequency, keys can be rotated. A device thereby generates a new key pair, adds this new key to the user, and subsequently removes the old key.
If a device is stolen or compromised, it may not be possible to destroy its private key. Despite removing the device from the user, the thief may read old versions of the private data, and modify the public card. The user is thus separated into two different users:
An outsider (e.g., a friend) is not able to tell which of the two users belongs to you. (The thief could also have stolen devices D2 and D3.) Is is therefore necessary to inform friends through a different channel to reestablish full trust.
In practice, there are a number of ways to prevent or resolve such a situation:
- Private keys may be protected with a password or a fingerprint, making it harder for the thief to recover them.
- Using remote wipe, the private key can be destroyed.
- If the Condensation store is under your control, you can block the stolen key there, and prevent the public card from being modified. This makes it significantly harder for a thief to use the key for a practical attack.
Private keys never leave the device, and are not backed up. In fact, a lost private key is not critical, as long as the data itself has been backed up properly.