STRIDE Threat Model
55 requirements mapped to controls.
Requirements
| Requirement | Title | Controls | Owner |
|---|---|---|---|
| WF-S-1 | Attacker replays a stolen JWT to impersonate a user | SID-AUTH-01, SID-AUTH-02 | platform |
| WF-S-2 | Phishing page mimics wallet UI to capture WebAuthn challenge | SID-AUTH-01 | platform |
| WF-I-1 | Session token extracted from sessionStorage via XSS | SID-HARD-05 | platform |
| WF-I-2 | Credential private keys exported from IndexedDB via XSS | SID-CRYPTO-01, SID-HARD-05, SID-KEY-01 | platform |
| WF-T-1 | Attacker modifies WalletStateContainer stored on the backend | SID-DATA-03, SID-CRYPTO-01 | platform |
| WF-R-1 | User denies signing a Verifiable Presentation | SID-CRYPTO-01 | platform |
| WF-D-1 | Flood WebSocket engine to exhaust server connections | SID-HARD-02 | operator |
| WF-E-1 | Attacker uses another tenant's JWT to access user data | SID-ACCESS-01 | platform |
| WF-I-3 | WebAuthn PRF output intercepted during unlock | SID-KEY-01, SID-CRYPTO-02 | platform |
| WF-T-2 | Attacker injects a rogue ECDH public key to re-wrap the main key | SID-CRYPTO-01, SID-CRYPTO-02 | platform |
| WF-E-2 | Attacker forces schema downgrade (v2 → v1) to bypass ECDH wrapping | SID-DATA-03 | platform |
| WB-S-1 | Attacker forges JWT to gain API access | SID-AUTH-02 | platform |
| WB-S-2 | Attacker submits fabricated WebAuthn assertion for registration/login | SID-AUTH-01 | platform |
| WB-T-1 | MITM modifies API request between reverse proxy and backend | SID-TRANS-01 | operator |
| WB-I-1 | Admin token logged at DEBUG level and shipped to log aggregator | SID-AUDIT-02 | platform |
| WB-I-2 | MongoDB user records accessible without encryption at rest | SID-DATA-01 | operator |
| WB-R-1 | Operator denies tenant CRUD actions performed via admin API | SID-AUDIT-01 | platform |
| WB-D-1 | Brute-force WebAuthn login to trigger lockout for legitimate users | SID-HARD-02 | platform |
| WB-D-2 | VCTM registry query flood (port 8097) | SID-HARD-02 | operator |
| WB-E-1 | Cross-tenant data access by manipulating X-Tenant-ID header | SID-ACCESS-01 | platform |
| WB-S-3 | Attacker guesses or brute-forces admin bearer token | SID-AUTH-01, SID-HARD-03 | operator |
| WB-E-2 | Network-reachable admin port grants full tenant/user CRUD | SID-HARD-03 | operator |
| WB-D-3 | Admin API flooded to lock out legitimate administration | SID-HARD-02, SID-HARD-03 | platform |
| WB-S-4 | Attacker runs a rogue AuthZEN endpoint and redirects wallet backend | SID-TRANS-01 | operator |
| WB-E-3 | Attacker calls go-trust /evaluation endpoint directly, bypassing SPOCP firewall | SID-TRUST-02, SID-ACCESS-04 | operator |
| VC-S-1 | External wallet presents forged OID4VCI authorization code | SID-AUTH-04, SID-CRYPTO-01 | platform |
| VC-S-2 | Attacker spoofs facetec-api to inject biometric approval | SID-TRANS-01, SID-AUTH-01 | platform |
| VC-T-1 | Tamper with credential claims between issuer and registry | SID-TRANS-01, SID-TRANS-02 | platform |
| VC-I-1 | PID or biometric data exposed in vc issuer logs | SID-AUDIT-02, SID-DATA-01 | platform |
| VC-R-1 | Holder denies receiving a credential | SID-AUDIT-01 | platform |
| VC-D-1 | OID4VCI token endpoint flooded | SID-HARD-02 | platform |
| VC-E-1 | SPOCP policy bypass on pid_auth credential type | SID-ACCESS-04 | platform |
| VC-I-2 | PKCS#11 HSM PIN exposed in YAML config | SID-KEY-02 | operator |
| VC-I-3 | Software fallback issuer key (PEM file) readable | SID-KEY-02 | platform |
| VC-T-2 | Attacker replaces software PEM key file | SID-KEY-02 | platform |
| TR-S-1 | DNS hijacking returns attacker-controlled trust list URL | SID-TRANS-04 | platform |
| TR-S-2 | BGP hijacking routes ETSI TSL traffic to attacker | SID-TRANS-01, SID-CRYPTO-03 | platform |
| TR-T-1 | Attacker injects malicious entries into fetched trust list | SID-TRUST-02, SID-TRUST-04 | platform |
| TR-I-1 | /evaluation endpoint called externally to learn trust topology | SID-TRUST-02 | operator |
| TR-D-1 | Flood /evaluation endpoint to deny trust decisions | SID-HARD-02 | platform |
| TR-D-2 | External trust service unavailable causes trust resolution failure | SID-TRUST-02 | operator |
| TR-E-1 | Attacker enumerates trust anchor membership via unauthenticated /evaluation | SID-TRUST-02 | operator |
| SP-T-1 | Attacker modifies startup-loaded configuration artifacts on disk | SID-OPS-05, SID-ACCESS-04 | platform |
| SP-E-1 | Malformed S-expression input causes policy bypass | SID-HARD-01, SID-ACCESS-04 | platform |
| SP-R-1 | Operator denies configuration changes | SID-AUDIT-01, SID-OPS-05 | platform |
| FT-S-1 | Attacker replays biometric session token to re-use completed liveness check | SID-AUTH-01 | platform |
| FT-I-1 | Biometric image data (selfie) persisted beyond processing | SID-DATA-01, SID-PRIV-01 | platform |
| FT-I-2 | Biometric data in PostgreSQL accessible without encryption at rest | SID-DATA-01 | operator |
| FT-D-1 | Biometric endpoint flooded to exhaust FaceTec capacity | SID-HARD-02, SID-HARD-07 | platform |
| FT-D-2 | 10 MB selfie upload consumes bandwidth | SID-HARD-07 | platform |
| CC-I-1 | HMAC JWT secrets exposed via misconfigured config/env | SID-KEY-02, SID-OPS-03 | operator |
| CC-R-1 | No platform-wide audit trail for security-relevant events | SID-AUDIT-01, SID-AUDIT-02 | platform |
| CC-D-1 | Kubernetes pod restarts clear in-memory JTI blacklist | SID-AUTH-02, SID-OPS-07 | platform |
| CC-T-1 | Supply-chain attack via compromised dependency | SID-OPS-04 | platform |
| CC-S-1 | Attacker impersonates internal service (no service mesh) | SID-TRANS-01, SID-TRANS-02 | platform |