# Threat Model

This document describes the threats KayakNet is designed to protect against and its limitations.

## Adversary Types

### Local Passive Adversary

**Description**: Can observe traffic on your local network (ISP, network admin)

**Capabilities**:

* See encrypted traffic to KayakNet peers
* Log connection times and durations
* Measure traffic volumes

**KayakNet Protection**:

* ✅ TLS hides packet contents
* ✅ Onion routing hides destinations
* ✅ Traffic padding obscures patterns
* ⚠️ Can see you're using KayakNet

### Network Adversary

**Description**: Controls some nodes in the network

**Capabilities**:

* Observe traffic through their nodes
* Attempt correlation attacks
* Try to manipulate routing

**KayakNet Protection**:

* ✅ E2E encryption (content protected)
* ✅ 3-hop routing (partial view only)
* ✅ Peer scoring limits malicious nodes
* ⚠️ May see timing if on circuit

### Global Passive Adversary

**Description**: Nation-state level, can observe most internet traffic

**Capabilities**:

* Monitor traffic at multiple points
* Perform traffic correlation
* Long-term analysis

**KayakNet Protection**:

* ✅ Traffic padding and mixing
* ✅ Timing obfuscation
* ⚠️ Statistical correlation possible
* ❌ Cannot fully prevent with enough observation

### Active Adversary

**Description**: Can inject, modify, or drop traffic

**Capabilities**:

* Attempt man-in-the-middle
* Block connections
* Inject fake messages

**KayakNet Protection**:

* ✅ Signatures prevent forgery
* ✅ Authentication detects tampering
* ✅ Multiple paths for redundancy
* ⚠️ Can block (but not decrypt)

## Specific Attacks

### Sybil Attack

**Attack**: Create many fake nodes to dominate the network

**Protection**:

* Proof-of-Work required for new nodes
* Peer scoring deprioritizes suspicious behavior
* Diverse peer selection limits impact

**Residual Risk**: Well-resourced attacker could still create many nodes

### Eclipse Attack

**Attack**: Surround a target with malicious nodes

**Protection**:

* Diverse peer selection (by subnet, geography)
* Minimum connections from different sources
* Bootstrap node diversity

**Residual Risk**: Possible if attacker controls network infrastructure

### Timing Attack

**Attack**: Correlate message timing to identify sender/receiver

**Protection**:

* Random delays on forwarding
* Traffic mixing
* Dummy traffic generation

**Residual Risk**: Statistical correlation with enough observations

### Traffic Analysis

**Attack**: Analyze patterns to infer activity

**Protection**:

* Constant packet size
* Traffic padding
* Mixing pools
* Dummy traffic

**Residual Risk**: Long-term patterns may emerge

### Replay Attack

**Attack**: Replay captured messages

**Protection**:

* Nonce tracking
* Timestamp validation
* Sequence numbers

**Residual Risk**: None (fully mitigated)

### Denial of Service

**Attack**: Flood network to prevent legitimate use

**Protection**:

* Rate limiting
* Proof-of-Work
* Peer scoring and banning
* Distributed architecture

**Residual Risk**: Localized disruption possible

## Trust Model

### What You Trust

| Component      | Trust Level  | Justification                |
| -------------- | ------------ | ---------------------------- |
| Your device    | Full         | If compromised, all bets off |
| KayakNet code  | Verify       | Open source, auditable       |
| Bootstrap node | Initial only | Only for discovery           |
| Peers          | None         | Assumed adversarial          |
| Network        | None         | Assumed monitored            |

### What You Don't Trust

* Any single node
* Any network path
* Any external service
* Any other user's identity (unless verified)

## Security Assumptions

1. **Cryptography is sound** - Ed25519, X25519, ChaCha20 are secure
2. **Random numbers are random** - crypto/rand is properly seeded
3. **Your device isn't compromised** - No malware, keyloggers
4. **Implementation is correct** - No critical bugs

## Known Limitations

### Cannot Protect Against

1. **Compromised endpoints** - If your device is hacked
2. **Physical coercion** - "Rubber hose" cryptanalysis
3. **User error** - Revealing identity through behavior
4. **Quantum computers** - (Future: PQ upgrade planned)
5. **Infinite resources** - Global adversary with unlimited budget

### Metadata Leaks

Even with protection, some metadata exists:

* You're using KayakNet (connection to peers)
* Approximate activity level (traffic volume)
* General online times (connection presence)

### Operational Security

KayakNet protects network traffic, not:

* What you type (screen capture)
* What you view (shoulder surfing)
* What you save (disk forensics)
* What you share (if recipient reveals)

## Recommendations

### High Security Needs

1. Use dedicated device
2. Boot from USB (Tails-like)
3. Use VPN or Tor as additional layer
4. Never reveal real identity
5. Assume everything is monitored

### Standard Use

1. Keep software updated
2. Use strong device security
3. Don't mix anonymous/real identities
4. Clear history when done
5. Use private browsing mode

## Reporting Vulnerabilities

Found a security issue?

1. **Do NOT** disclose publicly
2. Email: <security@kayaknet.io>
3. PGP key available on keyserver
4. We respond within 48 hours
5. 90-day disclosure timeline