Security Model
DeadLetter is designed as a trust-minimized dead drop messaging system.
No single component can read or forge messages, even if fully compromised.
This document describes the threat model, trust boundaries, and cryptographic guarantees.
Threat Model
We assume the following adversaries may exist:
| Actor | Capabilities |
|---|---|
| Malicious Backend Operator | Full read/write access to message storage and transport |
| Malicious Registry Operator | Can attempt to forge certificates |
| Network Attacker | Full MITM on all traffic |
| Device Thief | Gains physical access to ESP32 or client computer |
| Passive Observer | Can log IPs, timing, and metadata |
We do not assume any server is honest.
Core Guarantees
DeadLetter provides:
- End‑to‑end encryption — only sender and receiver can read messages
- Forward secrecy — compromise of long‑term keys does not reveal past messages
- No backend trust — backend stores opaque blobs only
- No registry trust — all registry data is signed and verified by clients
- Offline‑safe messaging — sender and receiver never need to be online simultaneously
Key Types
Each identity owns two keypairs:
| Key | Algorithm | Purpose |
|---|---|---|
| Encryption key | X25519 | Message encryption |
| Signing key | Ed25519 | Certificate verification & deletion authorization |
Certificate Chain
- Registry has a root signing key.
- Each user certificate is signed by this root.
- Clients verify:
root_pub -> verifies -> user_cert -> authorizes -> encryption_pub
The backend never sees private keys.
Message Encryption
Every message uses a new ephemeral keypair.
sender_ephemeral_priv + receiver_enc_pub
↓ X25519
shared_secret
↓ HKDF
session_key
↓ AES‑256‑GCM
ciphertext
Salt:
SHA256(ephemeral_pub || receiver_pub)
Message Deletion Authorization
When a user deletes a message, the client signs:
"<message_id>:delete"
using its Ed25519 signing key.
The backend verifies this signature against the registry certificate.
No one else can delete your messages.
Metadata Leakage
DeadLetter intentionally minimizes metadata but cannot eliminate:
- IP addresses (unless Tor used)
- Timing correlations
- Message sizes
Trust Boundaries
| Component | Trusted? |
|---|---|
| Sender device | Yes |
| Receiver device | Yes |
| Backend | No |
| Registry | No |
| Network | No |
Security Properties Summary
| Property | Status |
|---|---|
| Confidentiality | ✅ End‑to‑end |
| Integrity | ✅ Signed + authenticated |
| Authenticity | ✅ Certificate chain |
| Forward Secrecy | ✅ Ephemeral keys |
| Server Compromise Safety | ✅ Backend & registry are untrusted |
| Offline Delivery | ✅ Dead drop model |
DeadLetter is built on the assumption that servers will eventually be hostile.
Your security lives entirely on your devices — and that is exactly the point.