feat: add marketplace metrics, privacy features, and service registry endpoints

- Add Prometheus metrics for marketplace API throughput and error rates with new dashboard panels - Implement confidential transaction models with encryption support and access control - Add key management system with registration, rotation, and audit logging - Create services and registry routers for service discovery and management - Integrate ZK proof generation for privacy-preserving receipts - Add metrics instru
2025-12-22 10:33:23 +01:00
parent d98b2c7772
commit c8be9d7414
260 changed files with 59033 additions and 351 deletions
--- a/docs/reference/threat-modeling.md
+++ b/docs/reference/threat-modeling.md
@ -0,0 +1,286 @@
+# AITBC Threat Modeling: Privacy Features
+
+## Overview
+
+This document provides a comprehensive threat model for AITBC's privacy-preserving features, focusing on zero-knowledge receipt attestation and confidential transactions. The analysis uses the STRIDE methodology to systematically identify threats and their mitigations.
+
+## Document Version
+- Version: 1.0
+- Date: December 2024
+- Status: Published - Shared with Ecosystem Partners
+
+## Scope
+
+### In-Scope Components
+1. **ZK Receipt Attestation System**
+   - Groth16 circuit implementation
+   - Proof generation service
+   - Verification contract
+   - Trusted setup ceremony
+
+2. **Confidential Transaction System**
+   - Hybrid encryption (AES-256-GCM + X25519)
+   - HSM-backed key management
+   - Access control system
+   - Audit logging infrastructure
+
+### Out-of-Scope Components
+- Core blockchain consensus
+- Basic transaction processing
+- Non-confidential marketplace operations
+- Network layer security
+
+## Threat Actors
+
+| Actor | Motivation | Capability | Impact |
+|-------|------------|------------|--------|
+| Malicious Miner | Financial gain, sabotage | Access to mining software, limited compute | High |
+| Compromised Coordinator | Data theft, market manipulation | System access, private keys | Critical |
+| External Attacker | Financial theft, privacy breach | Public network, potential exploits | High |
+| Regulator | Compliance investigation | Legal authority, subpoenas | Medium |
+| Insider Threat | Data exfiltration | Internal access, knowledge | High |
+| Quantum Computer | Break cryptography | Future quantum capability | Future |
+
+## STRIDE Analysis
+
+### 1. Spoofing
+
+#### ZK Receipt Attestation
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Proof Forgery | Attacker creates fake ZK proofs | Medium | High | ✅ Groth16 soundness property<br>✅ Verification on-chain<br>⚠️ Trusted setup security |
+| Identity Spoofing | Miner impersonates another | Low | Medium | ✅ Miner registration with KYC<br>✅ Cryptographic signatures |
+| Coordinator Impersonation | Fake coordinator services | Low | High | ✅ TLS certificates<br>⚠️ DNSSEC recommended |
+
+#### Confidential Transactions
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Key Spoofing | Fake public keys for participants | Medium | High | ✅ HSM-protected keys<br>✅ Certificate validation |
+| Authorization Forgery | Fake audit authorization | Low | High | ✅ Signed tokens<br>✅ Short expiration times |
+
+### 2. Tampering
+
+#### ZK Receipt Attestation
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Circuit Modification | Malicious changes to circom circuit | Low | Critical | ✅ Open-source circuits<br>✅ Circuit hash verification |
+| Proof Manipulation | Altering proofs during transmission | Medium | High | ✅ End-to-end encryption<br>✅ On-chain verification |
+| Setup Parameter Poisoning | Compromise trusted setup | Low | Critical | ⚠️ Multi-party ceremony needed<br>⚠️ Secure destruction of toxic waste |
+
+#### Confidential Transactions
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Data Tampering | Modify encrypted transaction data | Medium | High | ✅ AES-GCM authenticity<br>✅ Immutable audit logs |
+| Key Substitution | Swap public keys in transit | Low | High | ✅ Certificate pinning<br>✅ HSM key validation |
+| Access Control Bypass | Override authorization checks | Low | High | ✅ Role-based access control<br>✅ Audit logging of all changes |
+
+### 3. Repudiation
+
+#### ZK Receipt Attestation
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Denial of Proof Generation | Miner denies creating proof | Low | Medium | ✅ On-chain proof records<br>✅ Signed proof metadata |
+| Receipt Denial | Party denies transaction occurred | Medium | Medium | ✅ Immutable blockchain ledger<br>✅ Cryptographic receipts |
+
+#### Confidential Transactions
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Access Denial | User denies accessing data | Low | Medium | ✅ Comprehensive audit logs<br>✅ Non-repudiation signatures |
+| Key Generation Denial | Deny creating encryption keys | Low | Medium | ✅ HSM audit trails<br>✅ Key rotation logs |
+
+### 4. Information Disclosure
+
+#### ZK Receipt Attestation
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Witness Extraction | Extract private inputs from proof | Low | Critical | ✅ Zero-knowledge property<br>✅ No knowledge of witness |
+| Setup Parameter Leak | Expose toxic waste from trusted setup | Low | Critical | ⚠️ Secure multi-party setup<br>⚠️ Parameter destruction |
+| Side-Channel Attacks | Timing/power analysis | Low | Medium | ✅ Constant-time implementations<br>⚠️ Needs hardware security review |
+
+#### Confidential Transactions
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Private Key Extraction | Steal keys from HSM | Low | Critical | ✅ HSM security controls<br>✅ Hardware tamper resistance |
+| Decryption Key Leak | Expose DEKs | Medium | High | ✅ Per-transaction DEKs<br>✅ Encrypted key storage |
+| Metadata Analysis | Infer data from access patterns | Medium | Medium | ✅ Access logging<br>⚠️ Differential privacy needed |
+
+### 5. Denial of Service
+
+#### ZK Receipt Attestation
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Proof Generation DoS | Overwhelm proof service | High | Medium | ✅ Rate limiting<br>✅ Queue management<br>⚠️ Need monitoring |
+| Verification Spam | Flood verification contract | High | High | ✅ Gas costs limit spam<br>⚠️ Need circuit optimization |
+
+#### Confidential Transactions
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Key Exhaustion | Deplete HSM key slots | Medium | Medium | ✅ Key rotation<br>✅ Resource monitoring |
+| Database Overload | Saturate with encrypted data | High | Medium | ✅ Connection pooling<br>✅ Query optimization |
+| Audit Log Flooding | Fill audit storage | Medium | Medium | ✅ Log rotation<br>✅ Storage monitoring |
+
+### 6. Elevation of Privilege
+
+#### ZK Receipt Attestation
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| Setup Privilege | Gain trusted setup access | Low | Critical | ⚠️ Multi-party ceremony<br>⚠️ Independent audits |
+| Coordinator Compromise | Full system control | Medium | Critical | ✅ Multi-sig controls<br>✅ Regular security audits |
+
+#### Confidential Transactions
+| Threat | Description | Likelihood | Impact | Mitigations |
+|--------|-------------|------------|--------|-------------|
+| HSM Takeover | Gain HSM admin access | Low | Critical | ✅ HSM access controls<br>✅ Dual authorization |
+| Access Control Escalation | Bypass role restrictions | Medium | High | ✅ Principle of least privilege<br>✅ Regular access reviews |
+
+## Risk Matrix
+
+| Threat | Likelihood | Impact | Risk Level | Priority |
+|--------|------------|--------|------------|----------|
+| Trusted Setup Compromise | Low | Critical | HIGH | 1 |
+| HSM Compromise | Low | Critical | HIGH | 1 |
+| Proof Forgery | Medium | High | HIGH | 2 |
+| Private Key Extraction | Low | Critical | HIGH | 2 |
+| Information Disclosure | Medium | High | MEDIUM | 3 |
+| DoS Attacks | High | Medium | MEDIUM | 3 |
+| Side-Channel Attacks | Low | Medium | LOW | 4 |
+| Repudiation | Low | Medium | LOW | 4 |
+
+## Implemented Mitigations
+
+### ZK Receipt Attestation
+- ✅ Groth16 soundness and zero-knowledge properties
+- ✅ On-chain verification prevents tampering
+- ✅ Open-source circuit code for transparency
+- ✅ Rate limiting on proof generation
+- ✅ Comprehensive audit logging
+
+### Confidential Transactions
+- ✅ AES-256-GCM provides confidentiality and authenticity
+- ✅ HSM-backed key management prevents key extraction
+- ✅ Role-based access control with time restrictions
+- ✅ Per-transaction DEKs for forward secrecy
+- ✅ Immutable audit trails with chain of hashes
+- ✅ Multi-factor authentication for sensitive operations
+
+## Recommended Future Improvements
+
+### Short Term (1-3 months)
+1. **Trusted Setup Ceremony**
+   - Implement multi-party computation (MPC) setup
+   - Engage independent auditors
+   - Publicly document process
+
+2. **Enhanced Monitoring**
+   - Real-time threat detection
+   - Anomaly detection for access patterns
+   - Automated alerting for security events
+
+3. **Security Testing**
+   - Penetration testing by third party
+   - Side-channel resistance evaluation
+   - Fuzzing of circuit implementations
+
+### Medium Term (3-6 months)
+1. **Advanced Privacy**
+   - Differential privacy for metadata
+   - Secure multi-party computation
+   - Homomorphic encryption support
+
+2. **Quantum Resistance**
+   - Evaluate post-quantum schemes
+   - Migration planning for quantum threats
+   - Hybrid cryptography implementations
+
+3. **Compliance Automation**
+   - Automated compliance reporting
+   - Privacy impact assessments
+   - Regulatory audit tools
+
+### Long Term (6-12 months)
+1. **Formal Verification**
+   - Formal proofs of circuit correctness
+   - Verified smart contract deployments
+   - Mathematical security proofs
+
+2. **Decentralized Trust**
+   - Distributed key generation
+   - Threshold cryptography
+   - Community governance of security
+
+## Security Controls Summary
+
+### Preventive Controls
+- Cryptographic guarantees (ZK proofs, encryption)
+- Access control mechanisms
+- Secure key management
+- Network security (TLS, certificates)
+
+### Detective Controls
+- Comprehensive audit logging
+- Real-time monitoring
+- Anomaly detection
+- Security incident response
+
+### Corrective Controls
+- Key rotation procedures
+- Incident response playbooks
+- Backup and recovery
+- System patching processes
+
+### Compensating Controls
+- Insurance for cryptographic risks
+- Legal protections
+- Community oversight
+- Bug bounty programs
+
+## Compliance Mapping
+
+| Regulation | Requirement | Implementation |
+|------------|-------------|----------------|
+| GDPR | Right to encryption | ✅ Opt-in confidential transactions |
+| GDPR | Data minimization | ✅ Selective disclosure |
+| SEC 17a-4 | Audit trail | ✅ Immutable logs |
+| MiFID II | Transaction reporting | ✅ ZK proof verification |
+| PCI DSS | Key management | ✅ HSM-backed keys |
+
+## Incident Response
+
+### Security Event Classification
+1. **Critical** - HSM compromise, trusted setup breach
+2. **High** - Large-scale data breach, proof forgery
+3. **Medium** - Single key compromise, access violation
+4. **Low** - Failed authentication, minor DoS
+
+### Response Procedures
+1. Immediate containment
+2. Evidence preservation
+3. Stakeholder notification
+4. Root cause analysis
+5. Remediation actions
+6. Post-incident review
+
+## Review Schedule
+
+- **Monthly**: Security monitoring review
+- **Quarterly**: Threat model update
+- **Semi-annually**: Penetration testing
+- **Annually**: Full security audit
+
+## Contact Information
+
+- Security Team: security@aitbc.io
+- Bug Reports: security-bugs@aitbc.io
+- Security Researchers: research@aitbc.io
+
+## Acknowledgments
+
+This threat model was developed with input from:
+- AITBC Security Team
+- External Security Consultants
+- Community Security Researchers
+- Cryptography Experts
+
+---
+
+*This document is living and will be updated as new threats emerge and mitigations are implemented.*