Threat Model
What Ephemera protects against, what it does not, and why.
Threats & Mitigations
| Threat | Mitigation |
|---|---|
| Stolen SSH private key | Keys are ephemeral. Certificates expire in minutes, limiting exposure window. |
| Credential phishing | WebAuthn is phishing-resistant. TOTP is fallback only. |
| Unauthorized privilege escalation | JIT Sudo requires fresh MFA approval per session. Logged centrally. |
| Audit log tampering | Merkle-chained ledger. Remote syslog mirroring to isolated sink. |
| Logic engine bugs | Differential Shadow Evaluation (GateBridge) against dual implementations. 1M iterations passed. |
| CA key compromise | Encrypted at rest. Zero-downtime rotation with multi-CA trust model. |
| Single-point recovery failure | Shamir secret sharing (k-of-n) for backup decryption. |
Explicit Non-Goals
The following are intentionally excluded from Ephemera's scope:
| Feature | Reason |
|---|---|
| SSH MITM Proxy | Violates end-to-end encryption; adds attack surface. |
| Custom SSH Protocol | Unnecessary complexity. Native OpenSSH is sufficient. |
| Cloud Dependency | Designed for sovereign, air-gapped deployments. |
| Session Replay UI | Recording research is decentralized; no central player planned. |
| QR-Based Shard Recovery | JSON file shards are simpler and more portable. |
| C PAM Module | pam_exec with Python is portable and auditable. |
Inherent Security Trade-offs
The following behaviors are inherent properties of Ephemera's technical design (time-bound credentials, availability models, and quorum cryptography) and are documented as expected boundaries of the threat model:
- Post-authorization credential persistence : As an inherent property of time-bound credentials, a valid certificate remains authorized until its cryptographic expiry even if the initiating endpoint is subsequently compromised.
- Decoupled availability and issuance : In a sovereign deployment model, the inability to reach the CA server prevents new issuance but does not revoke existing, valid sessions until their natural expiration.
- Quorum-based recovery boundaries : Quorum cryptography (k-of-n) technically permits recovery if k custodians collude. This is an intended property of the cryptographic model selected for sovereign disaster recovery.
Security Disclosure Philosophy
Certain implementation details are intentionally omitted from public documentation. Ephemera follows a "disclose-the-model, protect-the-keys" philosophy.
Hardened Decision Logic
Our evaluation engine (Gate0) has been subjected to 1,000,000 differential fuzzing iterations against a
reference model without a single divergence. Implementation correctness is a primary security invariant.