Version 1
High-Level Security Model
This document outlines the comprehensive security framework governing ShadowTalk, including threat assumptions, cryptographic primitives, data handling rules, and device protection layers. It defines how ShadowTalk achieves trustless, serverless communication with provable zero metadata exposure.
1. Core Security Philosophy
Zero trust by design
No component (client, relay, or developer) is inherently trusted.
End-to-end sovereignty
Users own their cryptographic identity and control all message flow.
Serverless integrity
Messages are never stored or routed through central systems.
Defense-in-depth
Encryption, authentication, enclave storage, and revocation layers reinforce each other.
Human-level fail-safes
Duress PIN, session wipe, and optional decoy modes reduce coercion risk.
2. Threat Model
| Category | Adversary | Goal | Defense Mechanism |
|---|---|---|---|
| Passive Network Observer | ISP, carrier, compromised Wi-Fi | Traffic correlation, metadata analysis | Encrypted wake tokens via Tor/UnifiedPush; constant-size packets; indistinguishable noise generation |
| Active Network Attacker | MITM injecting/replaying packets | Replay, downgrade, impersonation | Nonce-based replay protection, signature verification, ephemeral DH handshakes |
| Compromised Relay / Push Distributor | Hostile server or ntfy node | Message inspection or metadata harvesting | Only opaque encrypted wake tokens; no sender/receiver identifiers; rotating relay endpoints |
| Device Thief / Law Enforcement Seizure | Physical access | Extract keys or pending messages | Hardware key storage (StrongBox / Secure Enclave), biometric gate, duress wipe |
| Malicious Insider / Developer | Rogue admin, compromised update | Supply-chain injection | Reproducible builds, public hashes, code signing, optional offline app sideload verification |
| Mass Surveillance / State-level Actor | Data correlation, timing analysis | Social graph inference | Onion routing + randomized ping delays; multiple dummy traffic modes |
| User Coercion / Compelled Disclosure | Forced unlock or PIN entry | Data exfiltration under duress | Duress PIN triggers key wipe + signed network revocation |
3. Cryptographic Architecture
| Layer | Algorithm | Function |
|---|---|---|
| Identity Signing | Ed25519 | Long-term identity proof |
| Ephemeral Sessions | X25519 / ChaCha20-Poly1305 | Forward secrecy and transport confidentiality |
| Wake Tokens | Ed25519 (sign) + XChaCha20 | Authenticated pings/pongs |
| Queue Encryption | AES-256-GCM | Local message queue protection |
| Derivation | HKDF + Argon2id | Salted handle hashing and key stretching |
| Storage Encryption | Android Keystore / iOS Secure Enclave | Hardware-level protection |
Forward Secrecy: Session keys are rotated per message. Each Ping-Pong exchange derives new ephemeral keys, ensuring that even full compromise of a device cannot decrypt prior traffic.
6. Data Lifecycle
| Stage | Stored | Encrypted | TTL |
|---|---|---|---|
| Message queued | Sender device | Yes (queue key) | ≤7 days |
| Wake token | Relay/transport | Yes (wake key) | ≤1 hour |
| Delivered message | Receiver memory only | Yes (session key) | Erased after view |
| Keys | Hardware secure element | Non-exportable | Persistent until wiped |