# AIPhone No・where Logicnoid Project — Threat Model

## 1. Product Scope

AIPhone No・where Logicnoid Project is a phone-number non-exposure communication identity and display/session interlock engine.

The product does not expose the original phone number/MSISDN as a communication surface. It maps a text identifier to a non-reversible security token fingerprint, requires Display Ready Proof before session authorization, issues one-time opaque Tunnel Tickets, and records decisions through audit receipts.

## 2. Security Objective

The primary security objective is to prevent unconditional communication-session execution.

A session must not be authorized only because a caller requested it. A session is authorized only when the required evidence chain is complete.

Required evidence chain:

- Text identifier exists
- Original MSISDN is tokenized without raw storage
- Session intent exists
- Callee-side Display Ready Proof exists
- Tunnel Ticket is issued from valid Display Ready Proof
- Session authorization is issued from valid Tunnel Ticket
- Session authorization is consumed once
- Reuse is blocked
- Audit receipt is generated

## 3. Protected Assets

| Asset | Protection Objective |
|---|---|
| Original MSISDN | Must not be stored as plaintext in runtime state or audit logs |
| Text Identifier | Must be normalized and uniquely claimed |
| Internal Token | Must not be exposed externally |
| Token Fingerprint | May be exposed as a non-reversible reference |
| Display Ready Proof | Must be short-lived and single-use for tunnel-ticket issuance |
| Tunnel Ticket | Must be opaque, short-lived, and single-use |
| Session Authorization Handle | Must be opaque, short-lived, and single-use |
| Admin Challenge | Must be short-lived and single-use |
| Admin Session | Must be opaque, short-lived, and bearer-protected |
| Audit Receipt | Must allow retrieval and evidence verification |
| Runtime State | Must not contain raw MSISDN values |

## 4. Trust Boundaries

| Boundary | Description |
|---|---|
| Public Internet to Nginx | Public HTTP/HTTPS request entry point |
| Nginx to Engine | Reverse proxy to localhost engine |
| Engine Runtime State | Local runtime state and audit files |
| Admin Challenge Boundary | Signed challenge verification before admin access |
| Evidence Boundary | Audit receipt creation and retrieval |
| DNS/TLS Boundary | Public domain and certificate validation |

## 5. Data Classification

| Data | Classification | Storage Rule |
|---|---|---|
| Raw MSISDN | Sensitive | Must not be stored |
| HMAC internal token | Secret-derived internal value | Must not be exposed |
| Token fingerprint | Non-reversible reference | May be returned |
| Text identifier | Public or semi-public identifier | May be returned |
| Display proof handle | Sensitive transient handle | Short TTL |
| Tunnel ticket handle | Sensitive transient handle | Short TTL, single-use |
| Session authorization handle | Sensitive transient handle | Short TTL, single-use |
| Admin session handle | Sensitive admin bearer handle | Short TTL |
| Audit receipt | Evidence reference | May be retrieved |

## 6. Threat Actors

| Actor | Capability |
|---|---|
| External attacker | Sends arbitrary public requests |
| Phishing operator | Attempts to initiate deceptive communication sessions |
| Replay attacker | Reuses Display Proof, Tunnel Ticket, or Session Authorization |
| Enumeration attacker | Attempts to discover claimed identifiers or receipts |
| Insider with read access | Attempts to recover raw MSISDN from runtime files |
| Admin attacker | Attempts to access admin readiness without signed challenge |
| Network attacker | Attempts downgrade or interception without TLS |

## 7. STRIDE Analysis

### 7.1 Spoofing

Threat:

An attacker claims or impersonates a text identifier or admin session.

Controls:

- Text identifiers are normalized before claim and resolution.
- Claimed identifiers cannot be claimed again.
- Admin access requires challenge-response signature.
- Admin challenge is single-use and short-lived.
- Admin session handle is opaque and short-lived.

Current status:

- Text Identifier Claim: PASS
- Admin Signed Challenge: PASS
- Protected Admin Readiness: PASS

### 7.2 Tampering

Threat:

An attacker modifies session state, audit state, or attempts to bypass the intended state machine.

Controls:

- Session authorization requires prior session intent.
- Display Ready Proof must match the session intent.
- Tunnel Ticket must match the session intent.
- Session authorization must be consumed once.
- Audit receipt is generated for allow and block decisions.

Current status:

- Display Ready Interlock: PASS
- One-time Tunnel Ticket: PASS
- One-time Session Consume: PASS
- Reuse Block: PASS
- Audit Receipt Creation/Retrieval: PASS

### 7.3 Repudiation

Threat:

A caller, callee, or admin denies that a security-relevant action occurred.

Controls:

- Security-relevant decisions generate audit receipts.
- Audit receipts are retrievable by receipt id.
- Admin challenge issuance and verification are audited.

Current status:

- Audit Receipt Creation/Retrieval: PASS
- Admin Signed Challenge: PASS

### 7.4 Information Disclosure

Threat:

Raw MSISDN or raw internal secrets are exposed through runtime state, audit logs, API responses, or public files.

Controls:

- MSISDN is HMAC-tokenized.
- API returns tokenFingerprint, not raw internal token.
- Runtime verification checks that test MSISDN values are not stored.
- Tunnel and session handles are opaque.
- Admin session raw server-side handle is not stored as plaintext.

Current status:

- No-raw-MSISDN Tokenization Path: PASS
- raw MSISDN runtime grep check: PASS
- serverStoresRawTicket: false
- serverStoresRawAdminSession: false

### 7.5 Denial of Service

Threat:

External attackers flood public endpoints or exhaust state storage.

Current controls:

- Short TTLs for transient objects.
- Runtime pruning of expired intents, proofs, tickets, authorizations, challenges, and admin sessions.

Pending controls:

- Rate limiting at Nginx or WAF layer
- Request body size hardening at Nginx
- CloudFront/WAF edge protection
- Structured abuse throttling
- Persistent DB-backed quota control

Current status:

- Basic TTL pruning: PASS
- Advanced DoS hardening: PENDING

### 7.6 Elevation of Privilege

Threat:

A non-admin caller accesses protected admin readiness or administrative endpoints.

Controls:

- Admin readiness requires bearer admin session.
- Admin session requires valid signed challenge.
- Challenge reuse is blocked.
- No unauthenticated admin readiness.

Current status:

- Admin Readiness No-auth Block: PASS
- Admin Challenge Issue: PASS
- Admin Session Verify: PASS
- Admin Challenge Reuse Block: PASS

## 8. Abuse Case Matrix

| Abuse Case | Expected Result | Status |
|---|---|---:|
| Request session without claimed caller | Block | PASS |
| Request session without claimed callee | Block | PASS |
| Issue tunnel ticket without Display Ready Proof | Block | PASS |
| Reuse Display Ready Proof | Block | PASS |
| Reuse Tunnel Ticket | Block | PASS |
| Reuse Session Authorization | Block | PASS |
| Retrieve audit receipt by valid receipt | Allow | PASS |
| Access admin readiness without session | Block | PASS |
| Reuse admin challenge | Block | PASS |
| Store raw test MSISDN in runtime files | Must not occur | PASS |

## 9. Security Controls Implemented

| Control | Status |
|---|---:|
| HTTPS/TLS | PASS |
| Runtime health check | PASS |
| No-raw-MSISDN tokenization | PASS |
| Text identifier claim/resolve | PASS |
| Display Ready Proof | PASS |
| One-time Tunnel Ticket | PASS |
| One-time Session Authorization Consume | PASS |
| Reuse block | PASS |
| Audit receipt retrieval | PASS |
| Admin Signed Challenge | PASS |
| Protected Admin Readiness | PASS |
| OpenAPI contract | PASS |

## 10. Pending Security Controls

| Control | Status |
|---|---:|
| SSH hardening | PENDING |
| Nginx rate limiting | PENDING |
| Nginx request size hardening | PENDING |
| Security headers expansion | PENDING |
| Backup/restore runbook | PENDING |
| Incident response runbook | PENDING |
| External security audit | PENDING |
| Carrier production integration | PENDING |
| Native dialer integration | PENDING |
| Apple CallKit production approval | PENDING |
| Android Telecom Framework production approval | PENDING |

## 11. Non-claims

This threat model does not claim that AIPhone is carrier-integrated.

This threat model does not claim that Apple CallKit or Android Telecom Framework production approval is complete.

This threat model does not claim that an external security audit has been completed.

This threat model does not claim that the current local runtime file storage is the final enterprise persistence layer.

This threat model documents the current production-near engine security posture and the verified evidence chain.

## 12. Production-readiness Interpretation

The current engine demonstrates the core AIPhone security claim:

A communication session is not allowed merely because a caller requested it. The session requires a verified evidence chain, and missing or reused evidence is blocked.

The verified chain is:

MSISDN tokenization without raw storage → text identifier claim → session intent → Display Ready Proof → one-time Tunnel Ticket → session authorization → one-time consume → reuse block → audit receipt.

## 13. Verification Evidence

Verification logs are stored under:

/opt/gnx/aiphone-nowhere/docs/verification

Primary readiness file:

/opt/gnx/aiphone-nowhere/docs/production-readiness-gate.md

OpenAPI contract:

/opt/gnx/aiphone-nowhere/engine/openapi/openapi.yaml

Public OpenAPI URL:

https://logicnoid.kr/openapi.yaml